{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xerte/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-34413"}],"_cs_exploited":false,"_cs_products":["Xerte Online Toolkits (3.15 and earlier)"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-34413","xerte","rce"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a web-based open-source e-learning content creation platform, is vulnerable to a critical remote code execution vulnerability (CVE-2026-34413) affecting versions 3.15 and earlier. The vulnerability lies within the elFinder connector endpoint at \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e, which lacks proper authentication. This allows unauthenticated attackers to bypass intended access controls and directly interact with the file management system. Attackers can leverage this flaw to perform unauthorized file operations, including creating, uploading, renaming, duplicating, overwriting, and deleting files within project media directories. This can be chained with path traversal and extension blocklist bypass vulnerabilities to ultimately achieve remote code execution and arbitrary file read on the affected server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP request to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e targeting the elFinder file manager.\u003c/li\u003e\n\u003cli\u003eDue to the missing authentication check, the server processes the request without validating the user\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file operation functionalities (create, upload, rename, duplicate, overwrite, delete) of elFinder.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a path traversal vulnerability to navigate outside the intended media directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP file with a bypassed extension filter (e.g., using double extensions or null byte injection).\u003c/li\u003e\n\u003cli\u003eThe attacker renames the uploaded file to a valid PHP extension (e.g., \u003ccode\u003e.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the renamed PHP file, triggering server-side execution.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server, allowing for arbitrary system commands and data access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers the ability to execute arbitrary code on the Xerte Online Toolkits server. This can lead to complete system compromise, data theft, defacement of the learning platform, and denial of service. The severity is high due to the ease of exploitation and the potential for widespread impact across educational institutions and organizations utilizing Xerte Online Toolkits for e-learning content delivery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches or upgrade to a version of Xerte Online Toolkits greater than 3.15 to address CVE-2026-34413.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Unauthenticated elFinder Connector Access\u003c/code\u003e to identify unauthorized access attempts to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload policies to prevent the upload of potentially malicious file types, mitigating the risk of chained exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-xerte-rce/","summary":"Xerte Online Toolkits versions 3.15 and earlier are vulnerable to unauthenticated remote code execution due to a missing authentication check in the elFinder connector, allowing arbitrary file operations that can be chained with other vulnerabilities.","title":"Xerte Online Toolkits Unauthenticated Remote Code Execution via elFinder Connector","url":"https://feed.craftedsignal.io/briefs/2024-01-xerte-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Xerte","version":"https://jsonfeed.org/version/1.1"}