{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/xerte/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34415"}],"_cs_exploited":false,"_cs_products":["Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34415","rce","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a \u0026lsquo;.php4\u0026rsquo; extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP file disguised with a \u0026lsquo;.php4\u0026rsquo; extension, bypassing the incomplete input validation.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious PHP file to the specified directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to directly access the uploaded PHP file via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious PHP4 Uploads\u0026rdquo; to identify potential exploitation attempts by monitoring web server logs for \u0026lsquo;.php4\u0026rsquo; file uploads.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xerte-rce/","summary":"Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.","title":"Xerte Online Toolkits Unauthenticated Remote Code Execution via File Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-xerte-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-34413"}],"_cs_exploited":false,"_cs_products":["Xerte Online Toolkits (3.15 and earlier)"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-34413","xerte","rce"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a web-based open-source e-learning content creation platform, is vulnerable to a critical remote code execution vulnerability (CVE-2026-34413) affecting versions 3.15 and earlier. The vulnerability lies within the elFinder connector endpoint at \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e, which lacks proper authentication. This allows unauthenticated attackers to bypass intended access controls and directly interact with the file management system. Attackers can leverage this flaw to perform unauthorized file operations, including creating, uploading, renaming, duplicating, overwriting, and deleting files within project media directories. This can be chained with path traversal and extension blocklist bypass vulnerabilities to ultimately achieve remote code execution and arbitrary file read on the affected server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP request to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e targeting the elFinder file manager.\u003c/li\u003e\n\u003cli\u003eDue to the missing authentication check, the server processes the request without validating the user\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file operation functionalities (create, upload, rename, duplicate, overwrite, delete) of elFinder.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a path traversal vulnerability to navigate outside the intended media directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP file with a bypassed extension filter (e.g., using double extensions or null byte injection).\u003c/li\u003e\n\u003cli\u003eThe attacker renames the uploaded file to a valid PHP extension (e.g., \u003ccode\u003e.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the renamed PHP file, triggering server-side execution.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server, allowing for arbitrary system commands and data access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers the ability to execute arbitrary code on the Xerte Online Toolkits server. This can lead to complete system compromise, data theft, defacement of the learning platform, and denial of service. The severity is high due to the ease of exploitation and the potential for widespread impact across educational institutions and organizations utilizing Xerte Online Toolkits for e-learning content delivery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches or upgrade to a version of Xerte Online Toolkits greater than 3.15 to address CVE-2026-34413.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Unauthenticated elFinder Connector Access\u003c/code\u003e to identify unauthorized access attempts to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload policies to prevent the upload of potentially malicious file types, mitigating the risk of chained exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-xerte-rce/","summary":"Xerte Online Toolkits versions 3.15 and earlier are vulnerable to unauthenticated remote code execution due to a missing authentication check in the elFinder connector, allowing arbitrary file operations that can be chained with other vulnerabilities.","title":"Xerte Online Toolkits Unauthenticated Remote Code Execution via elFinder Connector","url":"https://feed.craftedsignal.io/briefs/2024-01-xerte-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-34414"}],"_cs_exploited":false,"_cs_products":["Xerte Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","xss"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a tool used to create online learning materials, is vulnerable to a path traversal vulnerability (CVE-2026-34414) in versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e. The \u003ccode\u003ename\u003c/code\u003e parameter within rename commands is not properly sanitized, allowing attackers to use directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to manipulate file locations. This flaw can be exploited to overwrite application files, inject stored cross-site scripting (XSS), or, when combined with other vulnerabilities, achieve unauthenticated remote code execution (RCE). This poses a significant threat to organizations utilizing affected versions of Xerte Online Toolkits, potentially leading to data breaches, system compromise, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Xerte Online Toolkits instance running version 3.15 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e targeting the rename command.\u003c/li\u003e\n\u003cli\u003eWithin the request, the \u003ccode\u003ename\u003c/code\u003e parameter contains directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) and the desired destination path.\u003c/li\u003e\n\u003cli\u003eThe server, due to insufficient input validation, processes the request without properly sanitizing the \u003ccode\u003ename\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker moves a file (e.g., an uploaded image or media file) from its original project media directory to a new location specified within the malicious \u003ccode\u003ename\u003c/code\u003e parameter. This could involve moving a file to the application root directory.\u003c/li\u003e\n\u003cli\u003eIf the attacker moves a specifically crafted PHP file to the application root and the webserver is configured to execute PHP files in the root, the attacker can then access this file via a web request.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the Xerte Online Toolkits instance and potentially the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. Attackers can overwrite sensitive application files, leading to denial of service or system instability. The injection of malicious JavaScript code can result in stored cross-site scripting (XSS) attacks, compromising user accounts and data. The most severe outcome is unauthenticated remote code execution (RCE), enabling attackers to gain complete control over the affected server, potentially leading to data breaches, malware deployment, and further lateral movement within the network. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a version greater than 3.15 to patch CVE-2026-34414.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Path Traversal in Xerte Connector\u003c/code\u003e to identify attempted exploitation of the path traversal vulnerability by monitoring requests to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e with directory traversal sequences.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003ename\u003c/code\u003e parameter within the elFinder connector to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eReview web server configurations to prevent the execution of PHP files from the web root directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-xerte-path-traversal/","summary":"Xerte Online Toolkits 3.15 and earlier are vulnerable to relative path traversal, allowing attackers to move files and potentially achieve remote code execution.","title":"Xerte Online Toolkits Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-xerte-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Xerte","version":"https://jsonfeed.org/version/1.1"}