CVE-2021-44664

Name of the Vulnerable Software and Affected Versions Xerte versions through 3.9

Description An Authenticated Remote Code Execution (RCE) issue exists in the website code/php/import/fileupload.php file. This is due to the ability to upload a maliciously crafted PHP file disguised as a language file, which bypasses the upload filters. Attackers can manipulate the file's destination by exploiting path traversal in the mediapath variable.

Recommendations For versions through 3.9, consider disabling the file upload feature in the project interface until a patch is available. Restrict access to the fileupload.php file to minimize the risk of exploitation. Avoid using the mediapath variable in the affected API endpoint until the issue is resolved.