CVE-2012-10038
published 2025-08-11CVE-2012-10038: Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file…
PriorityP274critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.39%
68.9th percentile
Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files. These files are stored in a web-accessible /banners/ directory and can be executed directly, resulting in remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| auxilium | ratemypet | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to upload_banners.php, particularly those uploading PHP files (e.g., Content-Type: application/x-php or filenames ending in .php). ↗
- →Alert on HTTP GET/POST requests to files under the /banners/ directory with a .php extension, which would indicate execution of an uploaded webshell. ↗
- →The Metasploit module exploits the banner uploading feature to upload an arbitrary file accessible in the 'banner' directory; look for Metasploit-characteristic User-Agent strings in requests to upload_banners.php. ↗
- ·The vulnerable endpoint upload_banners.php requires no authentication, meaning any network-accessible instance is exploitable without credentials. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-08-11
Published