CVE-2021-44673
Description
Authenticated Remote Code Execution in Croogo 3.0.2 via arbitrary file upload in the admin file manager attachments component, allowing web shell execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated Remote Code Execution in Croogo 3.0.2 via arbitrary file upload in the admin file manager attachments component, allowing web shell execution.
Vulnerability
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2 via the admin/file-manager/attachments endpoint. The application fails to properly validate uploaded file types, allowing an authenticated attacker with administrative access to upload arbitrary files, including PHP web shells. The affected version is Croogo 3.0.2, a CakePHP-based content management system [1][2].
Exploitation
An attacker must first obtain valid administrative credentials to the Croogo admin panel. Once authenticated, the attacker navigates to the file manager attachments section and uploads a malicious PHP file (e.g., a web shell) disguised as a legitimate attachment. The upload mechanism does not enforce file type restrictions, so the malicious file is accepted and stored on the server. After upload, the attacker can access the uploaded file directly via its URL and execute arbitrary PHP code on the server [1][2].
Impact
Successful exploitation allows the attacker to achieve remote code execution on the underlying web server with the privileges of the web application user. This can lead to full compromise of the Croogo installation, including data theft, defacement, privilege escalation, and lateral movement within the hosting environment [1][2].
Mitigation
As of the available references, no official patch or fixed version has been released for this vulnerability. Administrators should restrict access to the admin panel to trusted users, implement additional file upload validation via web server configuration (e.g., .htaccess rules to block execution of PHP files in the uploads directory), and monitor for unusual file uploads. The Croogo project appears to be inactive, with no recent commits addressing this issue [3]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
croogo/croogoPackagist | <= 3.0.2 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unrestricted file upload in the admin file manager allows a malicious user to upload a web shell."
Attack vector
An attacker who has access to the admin panel can navigate to the file manager's attachments section and upload a web shell (e.g., a `.php` file). Because the application performs no validation on the uploaded file's extension or content type, the malicious file is stored on the server and can be executed by visiting its URL, leading to remote code execution [CWE-434].
Affected code
The vulnerability resides in the admin file manager at `/admin/file-manager/attachments` in Croogo 3.0.2. The upload handler does not restrict the file types that can be uploaded, allowing arbitrary file uploads.
What the fix does
The advisory does not include a published patch. To remediate the issue, the application should implement file-type validation (e.g., allowlisting safe extensions such as images only) and verify MIME types server-side before storing uploaded files. Without such controls, any authenticated admin user can upload and execute arbitrary PHP code.
Preconditions
- authAttacker must have admin panel access (authenticated as an administrator).
- networkThe admin file-manager/attachments endpoint must be reachable.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.