Description
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
References (2)
Core 2
Core References
Permissions Required
http://elfinder.com
Third Party Advisory
https://github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909
Scores
CVSS v3
9.8
EPSS
0.0026
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (2)
std42/elfinder
2.1.64
studio-42/elfinder
0Packagist
Published
Jul 30, 2024
Tracked Since
Feb 18, 2026