cbcvebase.
CVE-2012-10036
published 2025-08-08

CVE-2012-10036: Project Pier 0.8.8 and earlier contains an unauthenticated arbitrary file upload vulnerability in tools/upload_file.php. The upload handler fails to validate…

PriorityP273critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.51%
71.3th percentile
Project Pier 0.8.8 and earlier contains an unauthenticated arbitrary file upload vulnerability in tools/upload_file.php. The upload handler fails to validate the file type or enforce authentication, allowing remote attackers to upload malicious PHP files directly into a web-accessible directory. The uploaded file is stored with a predictable suffix and can be executed by requesting its URL, resulting in remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
projectpierprojectpier<= 0.8.8

Detection & IOCsextracted from sources · hover to see the quote

pathtools/upload_file.php
  • Monitor for unauthenticated POST requests to tools/upload_file.php — no session/auth token required by the application, making any POST to this endpoint from an external source suspicious.
  • Alert on PHP files uploaded into web-accessible directories on Project Pier instances, particularly files with predictable suffixes following an upload to tools/upload_file.php.
  • Detection should focus on Apache servers specifically, as the exploit leverages Apache's extension handling behaviour to execute uploaded files; monitor for GET requests to newly uploaded files in upload directories following a POST to the upload endpoint.
  • ·Exploitation is Apache-specific due to extension handling; the vulnerability may not be exploitable on other web servers (e.g., nginx, IIS), so detection rules should be scoped accordingly.
  • ·Only Project Pier versions 0.8.8 and earlier are affected; scope detection to those version deployments to reduce false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.