CVE-2023-46694

HIGH

Vtenext 21.02 - Authenticated Unrestricted Upload of File with Dangerous Type via Ckeditor File Manager

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-46694. PoCs published by invisiblebyte.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-46694, which allows an authenticated attacker to upload arbitrary files and achieve remote code execution in Vtenext 21.02. The exploit leverages improper authentication controls in the Ckeditor file manager functionality.

Description

Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, potentially enabling them to execute remote commands. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the Ckeditor file manager functionality.

Exploits (1)

nomisec WORKING POC 4 stars

by invisiblebyte · poc

https://github.com/invisiblebyte/CVE-2023-46694

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-46694, which allows an authenticated attacker to upload arbitrary files and achieve remote code execution in Vtenext 21.02. The exploit leverages improper authentication controls in the Ckeditor file manager functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Vtenext 21.02

Auth required

Prerequisites: Valid credentials for the target Vtenext instance · Access to the target URL

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://github.com/invisiblebyte/CVE-2023-46694

Scores

CVSS v3 8.1

EPSS 0.0094

EPSS Percentile 56.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Published May 28, 2024

Tracked Since Feb 18, 2026