Vulnerability Description
Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Std42 | Elfinder | < 2.1.36 |
Related Weaknesses (CWE)
References
- https://github.com/Studio-42/elFinder/commit/157f471d7e48f190f74e66eb5bc73360b53PatchThird Party Advisory
- https://github.com/Studio-42/elFinder/releases/tag/2.1.36Release NotesThird Party Advisory
- https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2MitigationThird Party Advisory
- https://github.com/Studio-42/elFinder/commit/157f471d7e48f190f74e66eb5bc73360b53PatchThird Party Advisory
- https://github.com/Studio-42/elFinder/releases/tag/2.1.36Release NotesThird Party Advisory
- https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2MitigationThird Party Advisory
FAQ
What is CVE-2018-9109?
CVE-2018-9109 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server...
How severe is CVE-2018-9109?
CVE-2018-9109 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-9109?
Check the references section above for vendor advisories and patch information. Affected products include: Std42 Elfinder.