cbcvebase.
CVE-2012-10038
published 2025-08-11

CVE-2012-10038: Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file…

PriorityP274critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.39%
68.9th percentile
Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files. These files are stored in a web-accessible /banners/ directory and can be executed directly, resulting in remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
auxiliumratemypet

Detection & IOCsextracted from sources · hover to see the quote

path/banners/
pathupload_banners.php
  • Monitor for unauthenticated POST requests to upload_banners.php, particularly those uploading PHP files (e.g., Content-Type: application/x-php or filenames ending in .php).
  • Alert on HTTP GET/POST requests to files under the /banners/ directory with a .php extension, which would indicate execution of an uploaded webshell.
  • The Metasploit module exploits the banner uploading feature to upload an arbitrary file accessible in the 'banner' directory; look for Metasploit-characteristic User-Agent strings in requests to upload_banners.php.
  • ·The vulnerable endpoint upload_banners.php requires no authentication, meaning any network-accessible instance is exploitable without credentials.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.