CVE-2020-10227

MEDIUM

vtenext 19 CE - Stored Cross-Site Scripting via Email From Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-10227. PoCs published by Marco Ruela.

AI-analyzed exploit summary This exploit chains XSS, file upload, and CSRF vulnerabilities in VTENEXT 19 CE to achieve remote code execution. It sends a malicious email with an XSS payload that triggers a file upload of a PHP shell, then locates and executes commands on the uploaded shell.

Description

A cross-site scripting (XSS) vulnerability in the messages module of vtecrm vtenext 19 CE allows attackers to inject arbitrary JavaScript code via the From field of an email.

Exploits (1)

exploitdb WORKING POC
by Marco Ruela · pythonwebappsmultiple
https://www.exploit-db.com/exploits/48804

This exploit chains XSS, file upload, and CSRF vulnerabilities in VTENEXT 19 CE to achieve remote code execution. It sends a malicious email with an XSS payload that triggers a file upload of a PHP shell, then locates and executes commands on the uploaded shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VTENEXT 19 CE
No auth needed
Prerequisites: Access to SMTP server · Victim interaction to open email · Hosting for exploit.js
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://vtenext.com/en/
Product, Third Party Advisory x_refsource_misc
https://sourceforge.net/projects/vtecrm/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48804

Scores

CVSS v3 6.1
EPSS 0.0115
EPSS Percentile 62.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
vtenext/vtenext 19
Published Sep 14, 2020
Tracked Since Feb 18, 2026