CVE-2012-10036

Exploit

EPSS 72.45%
Veröffentlicht 08.08.2025 18:12:12
Zuletzt bearbeitet 08.08.2025 20:30:18
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Project Pier 0.8.8 and earlier contains an unauthenticated arbitrary file upload vulnerability in tools/upload_file.php. The upload handler fails to validate the file type or enforce authentication, allowing remote attackers to upload malicious PHP files directly into a web-accessible directory. The uploaded file is stored with a predictable suffix and can be executed by requesting its URL, resulting in remote code execution.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerProjectPier

≫

Produkt ProjectPier

Default Statusunaffected

Version <= 0.8.8

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	72.45%	0.987

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/projectpier_upload_exec.rb

https://www.exploit-db.com/exploits/21929

https://packetstorm.news/files/id/117070

https://web.archive.org/web/20120111090432/http://www.projectpier.org/

https://www.opensourcecms.com/projectpier/

https://www.vulncheck.com/advisories/project-pier-arbitrary-file-upload-rce

https://nvd.nist.gov/vuln/detail/CVE-2012-10036

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2012-10036

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2012-10036

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2012-10036