CVE-2024-38909 – studio-42/elfinder

Package

Manager: composer
Name: studio-42/elfinder
Vulnerable Version: >=0 <=2.1.64

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00223 pctl0.44933

Details

Studio 42 elFinder vulnerable to Incorrect Access Control Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.

Metadata

Created: 2024-07-30T15:31:28Z
Modified: 2024-10-25T21:50:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-3h9f-mm2x-4j58/GHSA-3h9f-mm2x-4j58.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-3h9f-mm2x-4j58
Finding: F039
Auto approve: 1