CVE-2013-10032

An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.

CVSS

No CVSS.

References

Link	Resource
https://get-simple.info
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895
https://www.exploit-db.com/exploits/25405
https://www.fortiguard.com/encyclopedia/ips/39295
https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload

Configurations

No configuration.

History

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de ejecución remota de código autenticado en GetSimpleCMS versión 3.2.1. El endpoint upload.php de la aplicación permite a los usuarios autenticados subir archivos arbitrarios sin la validación adecuada de los tipos MIME o extensiones. Al subir un archivo .pht con código PHP, un atacante puede eludir las restricciones de la lista negra y colocar el código ejecutable en la raíz web. Una solicitud manipulada con una extensión políglota o disfrazada permite al atacante ejecutar un payload accediendo al archivo directamente a través del servidor web. Esta vulnerabilidad se debe al uso de una lista negra para filtrar los tipos de archivo en lugar de una lista blanca.

25 Jul 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-25 16:15

Updated : 2025-07-29 14:14

NVD link : CVE-2013-10032

Mitre link : CVE-2013-10032

CVE.ORG link : CVE-2013-10032

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2013-10032", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-25T16:15:24.550", "references": [{"url": "https://get-simple.info", "source": "disclosure@vulncheck.com"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/25405", "source": "disclosure@vulncheck.com"}, {"url": "https://www.fortiguard.com/encyclopedia/ips/39295", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application\u2019s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo autenticado en GetSimpleCMS versi\u00f3n 3.2.1. El endpoint upload.php de la aplicaci\u00f3n permite a los usuarios autenticados subir archivos arbitrarios sin la validaci\u00f3n adecuada de los tipos MIME o extensiones. Al subir un archivo .pht con c\u00f3digo PHP, un atacante puede eludir las restricciones de la lista negra y colocar el c\u00f3digo ejecutable en la ra\u00edz web. Una solicitud manipulada con una extensi\u00f3n pol\u00edglota o disfrazada permite al atacante ejecutar un payload accediendo al archivo directamente a trav\u00e9s del servidor web. Esta vulnerabilidad se debe al uso de una lista negra para filtrar los tipos de archivo en lugar de una lista blanca."}], "lastModified": "2025-07-29T14:14:55.157", "sourceIdentifier": "disclosure@vulncheck.com"}