CVE-2021-44665

MEDIUM

Xerte < 3.10.3 - Path Traversal via Project File Download

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-44665. PoCs published by Rik Lutz.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in Xerte up to version 3.10.3, allowing an authenticated attacker to read arbitrary files (e.g., database.php) by manipulating the 'file' parameter in getfile.php. It automates the process of creating a project to discover the user directory and then constructs a traversal payload.

Description

A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via download.php.

Exploits (1)

exploitdb WORKING POC
by Rik Lutz · pythonwebappsphp
https://www.exploit-db.com/exploits/50794

This exploit demonstrates a directory traversal vulnerability in Xerte up to version 3.10.3, allowing an authenticated attacker to read arbitrary files (e.g., database.php) by manipulating the 'file' parameter in getfile.php. It automates the process of creating a project to discover the user directory and then constructs a traversal payload.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Xerte Online Toolkits up to 3.10.3
Auth required
Prerequisites: Guest login enabled or valid PHP session ID · Ability to create a project in Xerte
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0769
EPSS Percentile 93.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
xerte/xerte < 3.10.3
Published Feb 24, 2022
Tracked Since Feb 18, 2026