{"vuid":"VU#734812","idnumber":"734812","name":"Xerte Online Toolkit contains an authentication bypass that allows for RCE","keywords":null,"overview":"### Overview\r\n\r\nTwo vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the `/setup/` directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities.\r\n\r\n### Description\r\n\r\nXerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a `setup` folder that persists after installation. \r\n\r\n**CVE-2026-14261**\r\nA vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the `/setup/` folder, enabling attackers to reinstall the service to a remote database they control.\r\n\r\n**CVE-2026-12116**\r\nA vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be  modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed. \r\n\r\nDuring installation, Xerte creates a `/setup/` folder to configure database connection settings. This folder persists post-installation without access controls or automatic cleanup, and `/setup/index.php` does not verify whether installation has completed. An attacker can revisit `/setup/` and reconfigure the application to point to a remote database, thereby gaining administrative access. \r\n\r\nAfter gaining admin privileges, an attacker can abuse CVE-2026-12116 by editing the antivirus binary path to point to a PHP interpreter. This causes any new uploaded files to be passed to the PHP runtime through `website_code/php/import/fileupload.php`, bypassing file extension checks and resulting in remote code execution.\r\n\r\n### Impact\r\nSuccessful exploitation can allow full remote code execution on the affected server. This enables attackers to establish persistent access, exfiltrate data, or launch supply chain attacks by injecting malicious content into educational materials distributed by the platform.\r\n\r\n### Solution\r\nThese issues have been addressed in two commits:\r\n- [8fec660](https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90) removes `/setup/` automatically after installation/upgrade and blocks reuse.\r\n- [8ef2062](https://github.com/thexerteproject/xerteonlinetoolkits/commit/8ef20628f80bd88bd1fe3e5844a9116a910086b7) moves sensitive configuration files, including the antivirus binary path, to server-side locations.\r\n\r\nUsers should take the following steps immediately:\r\n1. Manually remove the initial installation `/setup/` folder from installations.  \r\n2. Upgrade to Xerte v3.15.5 or v3.14.6 and run `upgrade.php`, which enforces automatic `/setup/` removal and includes security hardening. If removal fails, the updated code still prevents exploitation. \r\nThis blog post: https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update contains more information and contact data for Xerte. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, George Filippov from the Vexel Foundation. This document was written by Christopher Cullen.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/thexerteproject/xerteonlinetoolkits/issues/1532","https://github.com/thexerteproject/xerteonlinetoolkits/commit/8ef20628f80bd88bd1fe3e5844a9116a910086b7","https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90","https://github.com/thexerteproject/xerteonlinetoolkits/issues/1543","https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update"],"cveids":["CVE-2026-14261","CVE-2026-12116"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-07-09T12:37:51.648865Z","publicdate":"2026-07-09T12:37:51.505298Z","datefirstpublished":"2026-07-09T12:37:51.667279Z","dateupdated":"2026-07-09T12:37:51.505294Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":214}