CVE-2013-10032

An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://get-simple.info	Product
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb	Exploit Third Party Advisory
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895	Third Party Advisory
https://www.exploit-db.com/exploits/25405	Exploit VDB Entry
https://www.fortiguard.com/encyclopedia/ips/39295	Third Party Advisory
https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:get-simple:getsimplecms:3.2.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-25 16:15

Updated : 2025-09-23 23:44

NVD link : CVE-2013-10032

Mitre link : CVE-2013-10032

CVE.ORG link : CVE-2013-10032

JSON object : View

Products Affected

get-simple

getsimplecms

CWE

CWE-306

Missing Authentication for Critical Function

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2013-10032", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-25T16:15:24.550", "references": [{"url": "https://get-simple.info", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/25405", "tags": ["Exploit", "VDB Entry"], "source": "[email protected]"}, {"url": "https://www.fortiguard.com/encyclopedia/ips/39295", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application\u2019s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo autenticado en GetSimpleCMS versi\u00f3n 3.2.1. El endpoint upload.php de la aplicaci\u00f3n permite a los usuarios autenticados subir archivos arbitrarios sin la validaci\u00f3n adecuada de los tipos MIME o extensiones. Al subir un archivo .pht con c\u00f3digo PHP, un atacante puede eludir las restricciones de la lista negra y colocar el c\u00f3digo ejecutable en la ra\u00edz web. Una solicitud manipulada con una extensi\u00f3n pol\u00edglota o disfrazada permite al atacante ejecutar un payload accediendo al archivo directamente a trav\u00e9s del servidor web. Esta vulnerabilidad se debe al uso de una lista negra para filtrar los tipos de archivo en lugar de una lista blanca."}], "lastModified": "2025-09-23T23:44:07.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:get-simple:getsimplecms:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29446EF3-5DFC-40F1-9FFE-2CB956C5B7B4"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}