CVE-2021-44663

moderate-risk
Published 2022-02-24

A Remote Code Execution (RCE) vulnerability exists in the Xerte Project Xerte through 3.8.4 via a crafted php file through elfinder in connetor.php.

Do I need to act?

~
4.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Xerte Online Toolkits

Affected Vendors

Nottingham.Ac

References (6)

Patch https://github.com/thexerteproject/xerteonlinetoolkits/commit/694a591b5ab7f634f0...
Exploit https://riklutz.nl/2021/10/30/unauthenticated-file-upload-to-remote-code-executi...
Release Notes https://www.xerte.org.uk/index.php/en/news/blog/80-news/336-xerte-3-8-5-importan...
Patch https://github.com/thexerteproject/xerteonlinetoolkits/commit/694a591b5ab7f634f0...
Exploit https://riklutz.nl/2021/10/30/unauthenticated-file-upload-to-remote-code-executi...
Release Notes https://www.xerte.org.uk/index.php/en/news/blog/80-news/336-xerte-3-8-5-importan...
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal