CVE-2018-9109
Description
Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A directory traversal in elFinder's zipdl() allows authenticated remote attackers to read and delete arbitrary files on the server.
Vulnerability
Studio 42 elFinder versions 2.1.12 through 2.1.35, and version 2.1.36 on Windows servers, contain a directory traversal vulnerability in the zipdl() function within elFinder.class.php [1][3]. The flaw occurs because the function does not validate that the $targets[1] file parameter stays within the intended temporary directory; an attacker can supply a path containing .. or absolute path segments to escape the sandbox [3][4].
Exploitation
An attacker must have network access to the elFinder connector (typically the PHP backend) and possess a valid user session with file-management privileges (the connector requires authentication by default) [3]. By sending a crafted zipdl request with a targets parameter that includes directory traversal sequences, the attacker can direct the zipdl() function to open, read, or delete any file on the filesystem that the web server process can access [1][3].
Impact
Successful exploitation allows an attacker to download arbitrary files from the server and delete files owned by the web server account, leading to information disclosure and potential data loss [1][3]. The CVSS v3 base score is 7.7 (High) with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N [3].
Mitigation
The vulnerability is fixed in elFinder 2.1.36 (non‑Windows) and 2.1.37 (Windows) [3]. Administrators should upgrade to the latest version immediately. If upgrading is not possible, a code-level workaround is available: in the zipdl() function, add a check that rejects the request if $file contains a directory separator character [3][4]. The project also warns that older versions on public servers may cause serious damage and should be updated or removed [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | < 2.1.36 | 2.1.36 |
Affected products
1Patches
1157f471d7e48[php:security] fix directory traversal vulnerability
1 file changed · +5 −1
php/elFinder.class.php+5 −1 modified@@ -1623,10 +1623,14 @@ protected function zipdl($args) { return array('error' => 'File not found', 'header' => $h404, 'raw' => true); } $file = $targets[1]; + // checking the validity of the file parameter + if (strpos($file, DIRECTORY_SEPARATOR) !== false) { + return array('error' => 'File not found', 'header' => $h404, 'raw' => true); + } $path = $volume->getTempPath().DIRECTORY_SEPARATOR.$file; // register auto delete on shutdown $GLOBALS['elFinderTempFiles'][$path] = true; - if (!is_readable($path)) { + if (!is_writable($path)) { return array('error' => 'File not found', 'header' => $h404, 'raw' => true); } $name = $targets[2];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-45x3-mw7q-wf7fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-9109ghsaADVISORY
- github.com/Studio-42/elFinder/commit/157f471d7e48f190f74e66eb5bc73360b5352fd3ghsax_refsource_CONFIRMWEB
- github.com/Studio-42/elFinder/releases/tag/2.1.36ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.