Xerte Online Toolkits versions 3.15 and earlier contain a critical missing authentication vulnerability in the elFinder connector endpoint. The vulnerability allows unauthenticated attackers to perform file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files in project media directories. This can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read. The issue stems from improper handling of HTTP redirects where PHP execution continues after redirecting unauthenticated callers.