Vulnerability Description
An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.
Related Weaknesses (CWE)
References
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exp
- https://www.exploit-db.com/exploits/28709
- https://www.fortiguard.com/encyclopedia/ips/37342/flashchat-arbitrary-file-uploa
- https://www.phpbb.com/community/viewtopic.php?t=2627786
- https://www.vulncheck.com/advisories/flashchat-arbitrary-file-upload-rce
FAQ
What is CVE-2013-10038?
CVE-2013-10038 is a documented vulnerability. An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, all...
How severe is CVE-2013-10038?
CVSS scoring is not yet available for CVE-2013-10038. Check NVD for updates.
Is there a patch for CVE-2013-10038?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.