CVE-2024-38909
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk38th percentile - higher than 38% of all known CVEs
Summary
Studio 42 elFinder version 2.1.64 is vulnerable to incorrect access control. Copying files with an unauthorized extension between server directories allows an attacker to expose secrets and perform remote code execution (RCE).
Risk Assessment
The risk for the organization includes leakage of confidential data and potential server compromise through remote code execution.
Recommendation
It is recommended to immediately update elFinder to the latest available version and implement strict file extension validation rules during copy operations.
Original NVD description (English source)
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.

