CVE-2021-44912
Description
In XE 1.116, when uploading the Normal button, there is no restriction on the file suffix, which leads to any file uploading to the files directory. Since .htaccess only restricts the PHP type, uploading HTML-type files leads to stored XSS vulnerabilities. If the .htaccess configuration is improper, for example before the XE 1.11.2 version, you can upload the PHP type file to GETSHELL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- XE/XEdescription
- Range: <=1.116
Patches
Vulnerability mechanics
Root cause
"Missing file-suffix validation in the Normal button upload handler allows arbitrary file types to be stored in the files directory."
Attack vector
An attacker with admin panel access uploads a crafted HTML file via the Normal button upload feature. Because no file-suffix restriction is enforced, the HTML file is stored in the `files/` directory. When a victim visits that uploaded HTML file, the embedded JavaScript executes in the victim's browser, achieving stored cross-site scripting. If the server's `.htaccess` is misconfigured (e.g., before XE 1.11.2), the attacker could instead upload a `.php` file to achieve remote code execution. [ref_id=1]
Affected code
The vulnerability resides in `modules/menu/menu.admin.controller.php` in the `#menu_normal_btn` upload handler. XE 1.116 does not restrict file suffixes when uploading the Normal button, allowing arbitrary file types to be placed into the `files/` directory. The `.htaccess` rules only block PHP and other executable extensions, leaving HTML files unguarded. [ref_id=1]
What the fix does
The advisory recommends adding `*html*` to the upload blacklist so that HTML files are rejected before they reach the `files/` directory. This prevents an attacker from storing a malicious HTML payload that would later be served to other users. The patch does not show the exact code change, but the repair suggestion is to extend the existing `.htaccess` deny rules or add server-side validation to block HTML extensions. [ref_id=1]
Preconditions
- authThe attacker must have access to the admin panel to reach the Normal button upload functionality.
- configThe server must be running XE 1.116 (or a version before 1.11.6).
- configThe `.htaccess` file must not already block HTML extensions in the upload directory.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/xpressengine/xe-core/issues/2433mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.