Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    The Risk of Exposed Cloud Functions and How to Harden

    July 15, 2026

    CISA warns admins to patch actively exploited SharePoint flaws

    July 15, 2026

    ​ ​AsyncAPI npm packages infected with credential-stealing malware

    July 15, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»Alerts»CVE-2026-34413 | THREATINT
    Alerts

    CVE-2026-34413 | THREATINT

    adminBy adminApril 22, 2026No Comments1 Min Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Home

    Description

    Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.

    PUBLISHED Reserved 2026-03-27 | Published 2026-04-22 | Updated 2026-04-22 | Assigner VulnCheck

    HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

    HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

    Problem types

    CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

    Product status

    Default status
    unaffected

    3.15.0 (semver)
    affected

    3.14.0 (semver)
    affected

    3.13.0 (semver)
    affected

    Any version before 02661be88cc369325ea01b508086bde7fbfec805
    affected

    Any version before 17e4f945fe6a3400fa88c01eda18c1075ee4a212
    affected

    Any version before 507d55c5e91bf9310b5b1c7fad8aebfef902ad23
    affected

    Credits

    bootstrapbool finder

    References

    xerte.org.uk/xertetoolkits_3.15_ChangeLog.html release-notes

    xerte.org.uk/…downloads-1/category/3-xerte-online-toolkits product permissions-required

    github.com/thexerteproject/xerteonlinetoolkits/issues/1527 issue-tracking

    github.com/…ommit/02661be88cc369325ea01b508086bde7fbfec805 patch

    github.com/…ommit/17e4f945fe6a3400fa88c01eda18c1075ee4a212 patch

    github.com/…ommit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23 patch

    www.vulncheck.com/…issing-authentication-via-connector-php third-party-advisory

    cve.org (CVE-2026-34413)

    nvd.nist.gov (CVE-2026-34413)

    Download JSON



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous Articlen8n security advisory (AV26-379) – Canadian Centre for Cyber Security
    Next Article Trump Wants to Double Production of New Nuclear Weapon Cores
    admin
    • Website

    Related Posts

    Alerts

    CISA Adds One Known Exploited Vulnerability to Catalog

    June 12, 2026
    Alerts

    FreePBX security advisory (AV26–596) – Canadian Centre for Cyber Security

    June 12, 2026
    Alerts

    SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1

    June 12, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    The Risk of Exposed Cloud Functions and How to Harden

    July 15, 2026

    CISA warns admins to patch actively exploited SharePoint flaws

    July 15, 2026

    ​ ​AsyncAPI npm packages infected with credential-stealing malware

    July 15, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.