CVE-2013-10055

Vulnerability Description

An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension validation and authentication checks, allowing remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once uploaded, the attacker can access the file directly under havalite/tmp/files/, resulting in remote code execution.

Related Weaknesses (CWE)

References

• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exp
• https://sourceforge.net/projects/havalite/
• https://www.exploit-db.com/exploits/26243
• https://www.vulncheck.com/advisories/havalite-cms-arbitary-file-upload-rce
• https://www.exploit-db.com/exploits/26243

FAQ

What is CVE-2013-10055?

CVE-2013-10055 is a documented vulnerability. An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension vali...

How severe is CVE-2013-10055?

CVSS scoring is not yet available for CVE-2013-10055. Check NVD for updates.

Is there a patch for CVE-2013-10055?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.