CVE-2020-10229

HIGH

vtenext 19 CE - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-10229. PoCs published by Marco Ruela.

AI-analyzed exploit summary This exploit chains XSS, file upload, and CSRF vulnerabilities in VTENEXT 19 CE to achieve remote code execution. It sends a malicious email with an XSS payload that triggers a file upload of a PHP shell, then locates and executes commands on the uploaded shell.

Description

A CSRF issue in vtecrm vtenext 19 CE allows attackers to carry out unwanted actions on an administrator's behalf, such as uploading files, adding users, and deleting accounts.

Exploits (1)

exploitdb WORKING POC
by Marco Ruela · pythonwebappsmultiple
https://www.exploit-db.com/exploits/48804

This exploit chains XSS, file upload, and CSRF vulnerabilities in VTENEXT 19 CE to achieve remote code execution. It sends a malicious email with an XSS payload that triggers a file upload of a PHP shell, then locates and executes commands on the uploaded shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VTENEXT 19 CE
No auth needed
Prerequisites: Access to SMTP server · Victim interaction to open email · Hosting for exploit.js
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://vtenext.com/en/
Product, Third Party Advisory x_refsource_misc
https://sourceforge.net/projects/vtecrm/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48804

Scores

CVSS v3 8.8
EPSS 0.0082
EPSS Percentile 52.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
vtenext/vtenext 19
Published Sep 14, 2020
Tracked Since Feb 18, 2026