Login Sign Up

CVE-2021-43691

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

CVE-2021-43691 is a path traversal vulnerability in tripexpress v1.1 that allows attackers to write arbitrary files to the server filesystem by manipulating the src parameter in load_font.php. This affects all installations of tripexpress v1.1 that have the vulnerable component accessible. Attackers can potentially achieve remote code execution.

💻 Affected Systems

Products:
  • tripexpress
Versions: v1.1
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where the load_font.php file is accessible via web requests.

📦 What is this software?

Tripexpress by Tripexpress Project

View all CVEs affecting Tripexpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Arbitrary file write leading to web shell deployment, data manipulation, or denial of service.

🟢

If Mitigated

Limited impact if proper file permissions restrict write access to critical directories.

🌐 Internet-Facing: HIGH - The vulnerability is in a web application component and can be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the application.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted requests to the vulnerable endpoint with path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/toocool/tripexpress/issues/40

Restart Required: No

Instructions:

No official patch exists. Remove or restrict access to system/helpers/dompdf/load_font.php, or upgrade to a newer version if available.

🔧 Temporary Workarounds

Restrict access to vulnerable file

all

Block web access to the load_font.php file using web server configuration

# For Apache: add to .htaccess
<Files "load_font.php">
    Order allow,deny
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /load_font\.php$ {
    deny all;
    return 403;
}

Remove vulnerable file

linux

Delete the vulnerable PHP file from the server

rm -f /path/to/tripexpress/system/helpers/dompdf/load_font.php

🧯 If You Can't Patch

  • Implement strict input validation on the src parameter to reject path traversal sequences
  • Apply strict file system permissions to limit write access to web directories

🔍 How to Verify

Check if Vulnerable:

Check if tripexpress version is 1.1 and if system/helpers/dompdf/load_font.php exists and is accessible via web requests.

Check Version:

Check tripexpress configuration files or documentation for version information

Verify Fix Applied:

Verify load_font.php is no longer accessible via web requests or has been removed from the filesystem.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /system/helpers/dompdf/load_font.php with ../ sequences in parameters
  • File write operations in unexpected directories

Network Indicators:

  • HTTP POST/GET requests containing path traversal sequences (../, ..\) to the vulnerable endpoint

SIEM Query:

source="web_logs" AND (uri="/system/helpers/dompdf/load_font.php" AND (param="src" AND value="*../*"))

📊 Metadata

CVE ID: CVE-2021-43691
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: November 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43691, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)