CVE-2018-9110
Description
Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. NOTE: this issue exists because of an incomplete fix for CVE-2018-9109.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A directory traversal in elFinder's zipdl() allows remote attackers to download and delete arbitrary files; complete fix landed in 2.1.37.
Vulnerability
A directory traversal vulnerability exists in the zipdl() function in elFinder.class.php of Studio 42 elFinder versions 2.1.12 through 2.1.35, and version 2.1.36 on Windows servers. The issue is an incomplete fix for CVE-2018-9109; the original patch only checked for DIRECTORY_SEPARATOR but failed to account for forward slashes on Windows, which are automatically converted. This allows a remote attacker to traverse directories outside the intended scope [1][3].
Exploitation
An attacker must have a valid session with at least user-level privileges to access the elFinder connector. The attacker can then send a crafted request to the zipdl command with a targets parameter containing path traversal sequences (e.g., ../../../etc/passwd). The insufficient check can be bypassed on Windows by using forward slashes instead of backslashes [1][3][4]. No user interaction beyond the initial request is required.
Impact
Successful exploitation enables an attacker to download any file accessible by the web server process (leading to information disclosure) and delete files owned by the account running the web server process (potentially causing denial of service or data loss). The CVSS v3 base score is 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating a high confidentiality impact with no impact on integrity or availability, though deletion may affect availability [1][3].
Mitigation
Upgrade to elFinder version 2.1.37 (or 2.1.36 on Windows servers) which contains the complete fix for the directory traversal in zipdl(). If immediate upgrade is not possible, apply the mitigation code change documented in the official advisory: modify the check in zipdl() to use strpos(str_replace('/', DIRECTORY_SEPARATOR, $file), DIRECTORY_SEPARATOR) !== false [2][3][4]. No workaround is documented for versions prior to 2.1.12, which may be affected by other vulnerabilities.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | >= 2.1.12, < 2.1.37 | 2.1.37 |
Affected products
1Patches
1e6351557b86c[php:security] re-fix directory traversal vulnerability for windows server
1 file changed · +1 −1
php/elFinder.class.php+1 −1 modified@@ -1624,7 +1624,7 @@ protected function zipdl($args) { } $file = $targets[1]; // checking the validity of the file parameter - if (strpos($file, DIRECTORY_SEPARATOR) !== false) { + if (strpos(str_replace('/', DIRECTORY_SEPARATOR, $file), DIRECTORY_SEPARATOR) !== false) { return array('error' => 'File not found', 'header' => $h404, 'raw' => true); } $path = $volume->getTempPath().DIRECTORY_SEPARATOR.$file;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-44p8-c3wv-f28rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-9110ghsaADVISORY
- github.com/Studio-42/elFinder/commit/e6351557b86cc10a7651253d2d2aff7f6b918f8eghsax_refsource_CONFIRMWEB
- github.com/Studio-42/elFinder/releases/tag/2.1.37ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.