CVE-2012-10045

CRITICAL EPSS 60.4%

Published Aug 8, 202510mo ago · Modified Jun 16, 20261w ago

9.3 CVSS 4.0

Critical

Published Aug 8, 2025 10mo ago

Last Modified Jun 16, 2026 1w ago

Description

XODA version 0.4.5 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary PHP code on the server. The flaw resides in the upload functionality, which fails to properly validate or restrict uploaded file types. By crafting a multipart/form-data POST request, an attacker can upload a .php file directly into the web-accessible files/ directory and trigger its execution via a subsequent GET request.

CVSS Details

Base Score

9.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

60.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

References 6

raw.githubusercontent.com https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/xoda_file_upload.rb
sourceforge.net https://sourceforge.net/projects/xoda/
exploit-db.com https://www.exploit-db.com/exploits/20703
exploit-db.com https://www.exploit-db.com/exploits/20713
vulncheck.com https://www.vulncheck.com/advisories/xoda-arbitrary-php-file-upload
xoda.org https://xoda.org/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.