Xerteonlinetoolkits
Monthly
Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.
Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.
Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.
Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.
Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.
Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.
Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.
Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.