Bootstrapbool

**Name of the Vulnerable Software and Affected Versions** Xerte Online Toolkits versions 3.15 and earlier **Description** A missing authentication issue exists in the elFinder connector endpoint '/editor/elfinder/php/connector.php'. An HTTP redirect to unauthenticated callers fails to call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories, including creating, renaming, duplicating, overwriting, and deleting files, as well as uploading files. This can be combined with path traversal and extension blocklist issues to achieve remote code execution and arbitrary file read. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xerte Online Toolkits versions 3.15 and earlier **Description** A relative path traversal issue exists in the elFinder connector endpoint '/editor/elfinder/php/connector.php'. The `name` parameter in rename commands is not properly sanitized for path traversal sequences. This allows attackers to move files from project media directories to arbitrary locations on the filesystem. Such actions could lead to the overwriting of application files, stored cross-site scripting, or unauthenticated remote code execution by moving PHP code files to the application root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xerte Online Toolkits versions 3.15 and earlier **Description** Incomplete input validation in the elFinder connector endpoint fails to block PHP-executable extensions such as .php4 due to an incorrect regex pattern. Unauthenticated attackers can combine this flaw with authentication bypass and path traversal to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. **Recommendations** Update to a version later than 3.15.

**Name of the Vulnerable Software and Affected Versions** Xerte Online Toolkits versions 3.15 and earlier **Description** An information disclosure issue allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. By sending a GET request to the '/setup' page, attackers can access the exposed `root path` value rendered in the HTML response. This information can be used to exploit path-dependent issues, such as relative path traversal in 'connector.php'. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.