cbcvebase.
CVE-2012-10044
published 2025-08-08

CVE-2012-10044: MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the savepage.php script. The application fails to perform authentication or…

PriorityP274critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.59%
72.5th percentile
MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the savepage.php script. The application fails to perform authentication or authorization checks before invoking file_put_contents() on attacker-controlled input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP GET requests to savepage.php, specifying both the filename and content. This allows arbitrary file creation within the pages/ directory or any writable path on the server, allowing remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
mobilecartlymobilecartly

Detection & IOCsextracted from sources · hover to see the quote

pathsavepage.php
pathpages/
  • Monitor for unauthenticated HTTP GET requests to savepage.php with filename and content parameters, which may indicate exploitation attempts.
  • Alert on new file creation events within the pages/ directory of MobileCartly installations, especially files with executable extensions (e.g., .php), as these may indicate successful exploitation and webshell deployment.
  • Detect use of the Metasploit module mobilecartly_upload_exec against MobileCartly 1.0 instances by correlating HTTP requests to savepage.php with known Metasploit user-agent patterns or payload signatures.
  • ·Exploitation is not limited to the pages/ directory; any path writable by the web server process can be targeted, broadening the scope of file monitoring required.
  • ·The vulnerability requires no authentication or authorization, meaning any network-accessible instance of MobileCartly 1.0 is exploitable without credentials.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.