CVE-2012-10045

XODA version 0.4.5 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary PHP code on the server. The flaw resides in the upload functionality, which fails to properly validate or restrict uploaded file types. By crafting a multipart/form-data POST request, an attacker can upload a .php file directly into the web-accessible files/ directory and trigger its execution via a subsequent GET request.

CVSS

No CVSS.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/xoda_file_upload.rb
https://sourceforge.net/projects/xoda/
https://www.exploit-db.com/exploits/20703
https://www.exploit-db.com/exploits/20713
https://www.vulncheck.com/advisories/xoda-arbitrary-php-file-upload
https://xoda.org/
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/xoda_file_upload.rb
https://www.exploit-db.com/exploits/20703
https://www.exploit-db.com/exploits/20713

Configurations

No configuration.

History

08 Aug 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-08 19:15

Updated : 2025-08-08 20:30

NVD link : CVE-2012-10045

Mitre link : CVE-2012-10045

CVE.ORG link : CVE-2012-10045

JSON object : View

Products Affected

No product.

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2012-10045", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "disclosure@vulncheck.com"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-08T19:15:34.450", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/xoda_file_upload.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://sourceforge.net/projects/xoda/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/20703", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/20713", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/xoda-arbitrary-php-file-upload", "source": "disclosure@vulncheck.com"}, {"url": "https://xoda.org/", "source": "disclosure@vulncheck.com"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/xoda_file_upload.rb", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/20703", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/20713", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "XODA version 0.4.5 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary PHP code on the server. The flaw resides in the upload functionality, which fails to properly validate or restrict uploaded file types. By crafting a multipart/form-data POST request, an attacker can upload a .php file directly into the web-accessible files/ directory and trigger its execution via a subsequent GET request."}], "lastModified": "2025-08-08T20:30:18.180", "sourceIdentifier": "disclosure@vulncheck.com"}