https://feed.craftedsignal.io/vendors/xerte/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-xerte-rce/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-xerte-rce/Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.Xerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a ‘.php4’ extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.
2. The attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.
3. The attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.
4. The attacker uploads a malicious PHP file disguised with a ‘.php4’ extension, bypassing the incomplete input validation.
5. The server saves the malicious PHP file to the specified directory.
6. The attacker sends another HTTP request to directly access the uploaded PHP file via its URL.
7. The web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.
8. The attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.

Recommendation

• Upgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.
• Implement the Sigma rule “Detect Suspicious PHP4 Uploads” to identify potential exploitation attempts by monitoring web server logs for ‘.php4’ file uploads.
• Review web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.
• Monitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.

]]>criticaladvisorycve-2026-34415rcefile-uploadweb-applicationhttps://feed.craftedsignal.io/briefs/2024-01-xerte-rce/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-xerte-rce/Xerte Online Toolkits versions 3.15 and earlier are vulnerable to unauthenticated remote code execution due to a missing authentication check in the elFinder connector, allowing arbitrary file operations that can be chained with other vulnerabilities.Xerte Online Toolkits, a web-based open-source e-learning content creation platform, is vulnerable to a critical remote code execution vulnerability (CVE-2026-34413) affecting versions 3.15 and earlier. The vulnerability lies within the elFinder connector endpoint at /editor/elfinder/php/connector.php, which lacks proper authentication. This allows unauthenticated attackers to bypass intended access controls and directly interact with the file management system. Attackers can leverage this flaw to perform unauthorized file operations, including creating, uploading, renaming, duplicating, overwriting, and deleting files within project media directories. This can be chained with path traversal and extension blocklist bypass vulnerabilities to ultimately achieve remote code execution and arbitrary file read on the affected server.

Attack Chain

1. An unauthenticated attacker sends a malicious HTTP request to /editor/elfinder/php/connector.php targeting the elFinder file manager.
2. Due to the missing authentication check, the server processes the request without validating the user’s identity.
3. The attacker leverages the file operation functionalities (create, upload, rename, duplicate, overwrite, delete) of elFinder.
4. The attacker exploits a path traversal vulnerability to navigate outside the intended media directory.
5. The attacker uploads a malicious PHP file with a bypassed extension filter (e.g., using double extensions or null byte injection).
6. The attacker renames the uploaded file to a valid PHP extension (e.g., .php).
7. The attacker sends an HTTP request to the renamed PHP file, triggering server-side execution.
8. The attacker achieves remote code execution on the server, allowing for arbitrary system commands and data access.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers the ability to execute arbitrary code on the Xerte Online Toolkits server. This can lead to complete system compromise, data theft, defacement of the learning platform, and denial of service. The severity is high due to the ease of exploitation and the potential for widespread impact across educational institutions and organizations utilizing Xerte Online Toolkits for e-learning content delivery.

Recommendation

• Apply the latest security patches or upgrade to a version of Xerte Online Toolkits greater than 3.15 to address CVE-2026-34413.
• Implement the Sigma rule Detect Unauthenticated elFinder Connector Access to identify unauthorized access attempts to the vulnerable endpoint.
• Review and harden file upload policies to prevent the upload of potentially malicious file types, mitigating the risk of chained exploitation.

]]>criticaladvisoryCVE-2026-34413xertercehttps://feed.craftedsignal.io/briefs/2024-01-xerte-path-traversal/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-xerte-path-traversal/Xerte Online Toolkits 3.15 and earlier are vulnerable to relative path traversal, allowing attackers to move files and potentially achieve remote code execution.Xerte Online Toolkits, a tool used to create online learning materials, is vulnerable to a path traversal vulnerability (CVE-2026-34414) in versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php. The name parameter within rename commands is not properly sanitized, allowing attackers to use directory traversal sequences (e.g., ../) to manipulate file locations. This flaw can be exploited to overwrite application files, inject stored cross-site scripting (XSS), or, when combined with other vulnerabilities, achieve unauthenticated remote code execution (RCE). This poses a significant threat to organizations utilizing affected versions of Xerte Online Toolkits, potentially leading to data breaches, system compromise, and reputational damage.

Attack Chain

1. An attacker identifies a vulnerable Xerte Online Toolkits instance running version 3.15 or earlier.
2. The attacker crafts a malicious HTTP request to /editor/elfinder/php/connector.php targeting the rename command.
3. Within the request, the name parameter contains directory traversal sequences (e.g., ../../) and the desired destination path.
4. The server, due to insufficient input validation, processes the request without properly sanitizing the name parameter.
5. The attacker moves a file (e.g., an uploaded image or media file) from its original project media directory to a new location specified within the malicious name parameter. This could involve moving a file to the application root directory.
6. If the attacker moves a specifically crafted PHP file to the application root and the webserver is configured to execute PHP files in the root, the attacker can then access this file via a web request.
7. The attacker executes arbitrary code on the server.
8. The attacker gains complete control of the Xerte Online Toolkits instance and potentially the underlying server.

Impact

Successful exploitation of this vulnerability can lead to several critical consequences. Attackers can overwrite sensitive application files, leading to denial of service or system instability. The injection of malicious JavaScript code can result in stored cross-site scripting (XSS) attacks, compromising user accounts and data. The most severe outcome is unauthenticated remote code execution (RCE), enabling attackers to gain complete control over the affected server, potentially leading to data breaches, malware deployment, and further lateral movement within the network. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of risk.

Recommendation

• Upgrade Xerte Online Toolkits to a version greater than 3.15 to patch CVE-2026-34414.
• Deploy the Sigma rule Detect Suspicious Path Traversal in Xerte Connector to identify attempted exploitation of the path traversal vulnerability by monitoring requests to /editor/elfinder/php/connector.php with directory traversal sequences.
• Implement input validation and sanitization on the name parameter within the elFinder connector to prevent path traversal attacks.
• Review web server configurations to prevent the execution of PHP files from the web root directory.

]]>criticaladvisorypath-traversalremote-code-executionxss