cbcvebase.
CVE-2021-44664
published 2022-02-24

CVE-2021-44664: An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.78%
95.8th percentile
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the 'mediapath' variable.

Affected

1 ranges
VendorProductVersion rangeFixed in
xertexerte<= 3.9

Detection & IOCsextracted from sources · hover to see the quote

url/website_code/php/import/fileupload.php
url/website_code/php/templates/new_template.php
url/website_code/php/properties/media_and_quota_template.php
filenameindex.inc
url/?cmd=whoami
cookiePHPSESSID
  • Monitor POST requests to /website_code/php/import/fileupload.php containing a 'mediapath' parameter with path traversal sequences (e.g., '../') — this is the core exploitation vector for CVE-2021-44664.
  • Alert on multipart file uploads to fileupload.php where the uploaded filename has a .inc or .php extension, especially when the Content-Type is application/octet-stream — the exploit disguises a PHP webshell as a language file.
  • Watch for HTTP requests to the Xerte root with a 'cmd' query parameter (e.g., /?cmd=whoami) after a successful upload — this indicates webshell execution via the overwritten index.inc language file.
  • Correlate a sequence of three POST requests: (1) to new_template.php, (2) to media_and_quota_template.php, and (3) to fileupload.php — this three-step pattern is the full exploit chain for CVE-2021-44664.
  • ·The PoC exploit assumes guest login is enabled on the Xerte instance. If guest login is disabled, an attacker must supply a valid authenticated PHPSESSID cookie. Detections based on unauthenticated access may miss attacks using stolen or brute-forced session IDs.
  • ·The exploit specifically targets the en-GB language file (index.inc). Installations using a different default language will have a different traversal target path, so path-based detections should be broadened to cover other language directories.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.