Vulnerability Description
Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. NOTE: this issue exists because of an incomplete fix for CVE-2018-9109.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Std42 | Elfinder | < 2.1.37 |
Related Weaknesses (CWE)
References
- https://github.com/Studio-42/elFinder/commit/e6351557b86cc10a7651253d2d2aff7f6b9PatchThird Party Advisory
- https://github.com/Studio-42/elFinder/releases/tag/2.1.37Release NotesThird Party Advisory
- https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2MitigationThird Party Advisory
- https://github.com/Studio-42/elFinder/commit/e6351557b86cc10a7651253d2d2aff7f6b9PatchThird Party Advisory
- https://github.com/Studio-42/elFinder/releases/tag/2.1.37Release NotesThird Party Advisory
- https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2MitigationThird Party Advisory
FAQ
What is CVE-2018-9110?
CVE-2018-9110 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server...
How severe is CVE-2018-9110?
CVE-2018-9110 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-9110?
Check the references section above for vendor advisories and patch information. Affected products include: Std42 Elfinder.