CVE Catalog

CVE-2024-38909

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile - higher than 38% of all known CVEs

Summary

Studio 42 elFinder version 2.1.64 is vulnerable to incorrect access control. Copying files with an unauthorized extension between server directories allows an attacker to expose secrets and perform remote code execution (RCE).

Risk Assessment

The risk for the organization includes leakage of confidential data and potential server compromise through remote code execution.

Recommendation

It is recommended to immediately update elFinder to the latest available version and implement strict file extension validation rules during copy operations.

Original NVD description (English source)

Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS