Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zaDlmLW1tMngtNGo1OM4AA-Q_
Studio 42 elFinder vulnerable to Incorrect Access Control
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
Permalink: https://github.com/advisories/GHSA-3h9f-mm2x-4j58JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zaDlmLW1tMngtNGo1OM4AA-Q_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 29 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3h9f-mm2x-4j58, CVE-2024-38909
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-38909
- https://github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909
- http://elfinder.com
- https://github.com/advisories/GHSA-3h9f-mm2x-4j58
Blast Radius: 30.7
Affected Packages
packagist:studio-42/elfinder
Dependent packages: 83Dependent repositories: 1,365
Downloads: 6,882,330 total
Affected Version Ranges: <= 2.1.64
No known fixed version
All affected versions: 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.1.26, 2.1.27, 2.1.28, 2.1.29, 2.1.30, 2.1.31, 2.1.32, 2.1.33, 2.1.34, 2.1.35, 2.1.36, 2.1.37, 2.1.38, 2.1.39, 2.1.40, 2.1.41, 2.1.42, 2.1.43, 2.1.44, 2.1.45, 2.1.46, 2.1.47, 2.1.48, 2.1.49, 2.1.50, 2.1.51, 2.1.52, 2.1.53, 2.1.54, 2.1.55, 2.1.56, 2.1.57, 2.1.58, 2.1.59, 2.1.60, 2.1.61, 2.1.62, 2.1.63, 2.1.64