Discovered by: Federico Zambito with Innovery
Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, resulting in remote code execution. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the Ckeditor file manager functionality.
Discovery date: 11/04/23
05/07/23 - Vendor contacted by email (1st time)
11/07/23 - Report sent to the vendor
25/10/23 - CVE issued CVE-2023-46694
17/11/23 - Vendor contacted again but no response
01/03/24 - Public disclosure