cbcvebase.
CVE-2013-0136
published 2013-06-01

CVE-2013-0136: Multiple directory traversal vulnerabilities in the EditDocument servlet in the Frontend in Mutiny before 5.0-1.11 allow remote authenticated users to upload…

PriorityP264high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
40.34%
98.5th percentile
Multiple directory traversal vulnerabilities in the EditDocument servlet in the Frontend in Mutiny before 5.0-1.11 allow remote authenticated users to upload and execute arbitrary programs, read arbitrary files, or cause a denial of service (file deletion or renaming) via (1) the uploadPath parameter in an UPLOAD operation; the paths[] parameter in a (2) DELETE, (3) CUT, or (4) COPY operation; or the newPath parameter in a (5) CUT or (6) COPY operation.

Affected

2 ranges
VendorProductVersion rangeFixed in
mutinymutiny<= 5.0-1.10
mutinymutiny

Detection & IOCsextracted from sources · hover to see the quote

url/interface/EditDocument
url/interface/index.do
url/interface/j_security_check
cookieJSESSIONID
commanduploadPath=../../../..{location}
otheruploadFile (multipart form-data field name for file upload)
other{"success":true}
othervar currentMutinyVersion = "Version
  • Alert on POST requests to the EditDocument servlet path (/interface/EditDocument) containing multipart form-data with an 'uploadPath' field value that includes directory traversal sequences (e.g., '../../../..').
  • Monitor for directory traversal patterns in the uploadPath, paths[], and newPath parameters of requests to the EditDocument servlet, as all are vulnerable to traversal for UPLOAD, DELETE, CUT, and COPY operations.
  • Detect login sequences targeting /interface/j_security_check followed immediately by file upload POST to /interface/EditDocument — indicative of exploit automation (any authenticated role can exploit).
  • Flag HTTP responses from the Mutiny frontend containing the JSON body {"success":true} in reply to multipart POST requests to EditDocument, especially when the uploadPath contains traversal sequences.
  • Identify Mutiny appliances by the presence of 'var currentMutinyVersion' in HTTP response bodies; versions below 5.0-1.11 are vulnerable.
  • Look for the Apache-Coyote server header in HTTP responses as a fingerprint for the vulnerable Mutiny appliance backend.
  • ·Exploitation requires valid credentials for any role in the Mutiny web frontend — the vulnerability is post-authentication, so network-level blocking of unauthenticated access alone is insufficient.
  • ·The default credentials used by the Metasploit module are [email protected] / password — deployments should be checked for unchanged default credentials.
  • ·Successful exploitation results in arbitrary code execution with root privileges, not just file upload — the impact extends beyond file write to full system compromise.
  • ·The exploit module targets Mutiny 5.0-1.07 specifically; the vulnerability affects all versions before 5.0-1.11.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.