CVE-2013-10032
published 2025-07-25CVE-2013-10032: An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.48%
82.6th percentile
An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| get-simple | getsimplecms | — | — |
| getsimple_cms_project | getsimple_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to upload.php in GetSimpleCMS installations for file uploads with .pht or other non-standard PHP-executable extensions (e.g., .phtml, .php3, .php4, .php5) that may bypass blacklist filters. ↗
- →Alert on authenticated HTTP GET requests to files with .pht extensions within the web root of GetSimpleCMS, as this indicates payload execution after a successful upload. ↗
- →Flag abuse of the upload.php endpoint in GetSimpleCMS 3.2.1 by authenticated users uploading arbitrary files; the vulnerability is exploitable via the Metasploit module get_simple_cms_upload_exec. ↗
- ·The bypass relies on a blacklist-based file extension filter rather than a whitelist; detection rules should account for all PHP-executable extensions not explicitly blocked (e.g., .pht, .phtml, .php3, .php4, .php5, .shtml). ↗
- ·Exploitation requires prior authentication; detections should correlate upload activity with valid session cookies/credentials to reduce false positives from unauthenticated probes. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://get-simple.infohttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rbhttps://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895https://www.exploit-db.com/exploits/25405https://www.fortiguard.com/encyclopedia/ips/39295https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload
2025-07-25
Published