CVE-2012-10034

ClanSphere 2011.3 is vulnerable to a local file inclusion (LFI) flaw due to improper handling of the cs_lang cookie parameter. The application fails to sanitize user-supplied input, allowing attackers to traverse directories and read arbitrary files outside the web root. The vulnerability is further exacerbated by null byte injection (%00) to bypass file extension checks.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/clansphere_traversal.rb	Exploit Third Party Advisory
https://sourceforge.net/projects/clansphere/	Product
https://www.exploit-db.com/exploits/22181	Exploit VDB Entry
https://www.vulncheck.com/advisories/clansphere-local-file-inclusion-via-cookie	Third Party Advisory
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/clansphere_traversal.rb	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/22181	Exploit VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:csphere:clansphere:2011.3:*:*:*:*:*:*:*

History

23 Sep 2025, 18:46

Type	Values Removed	Values Added
First Time		Csphere clansphere Csphere
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/clansphere_traversal.rb -~~	() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/clansphere_traversal.rb - Exploit, Third Party Advisory
References	~~() https://sourceforge.net/projects/clansphere/ -~~	() https://sourceforge.net/projects/clansphere/ - Product
References	~~() https://www.exploit-db.com/exploits/22181 -~~	() https://www.exploit-db.com/exploits/22181 - Exploit, VDB Entry
References	~~() https://www.vulncheck.com/advisories/clansphere-local-file-inclusion-via-cookie -~~	() https://www.vulncheck.com/advisories/clansphere-local-file-inclusion-via-cookie - Third Party Advisory
CPE		cpe:2.3:a:csphere:clansphere:2011.3:::::::*

06 Aug 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/clansphere_traversal.rb -~~	() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/clansphere_traversal.rb -
References	~~() https://www.exploit-db.com/exploits/22181 -~~	() https://www.exploit-db.com/exploits/22181 -
Summary		(es) ClanSphere 2011.3 es vulnerable a una falla de inclusión de archivos locales (LFI) debido al manejo incorrecto del parámetro de cookie cs_lang. La aplicación no depura la información proporcionada por el usuario, lo que permite a los atacantes recorrer directorios y leer archivos arbitrarios fuera de la raíz web. La vulnerabilidad se ve agravada por la inyección de bytes nulos (%00) para eludir las comprobaciones de extensión de archivo.

05 Aug 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-05 20:15

Updated : 2025-09-23 18:46

NVD link : CVE-2012-10034

Mitre link : CVE-2012-10034

CVE.ORG link : CVE-2012-10034

JSON object : View

Products Affected

csphere

clansphere

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10