CVE-2013-10037
published 2025-07-31CVE-2013-10037: An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and…
PriorityP178critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
9.86%
95.0th percentile
An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eppler_software | webtester | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests targeting install2.php for shell metacharacters or command injection payloads in the cpusername, cppassword, and cpdomain parameters. ↗
- →Alert on unauthenticated access to install2.php on WebTester 5.x installations; the installation script should not be publicly accessible post-deployment. ↗
- ·Exploitation requires the install2.php script to be present and accessible; environments where the installation script has been removed or access-restricted post-install are not vulnerable via this vector. ↗
- ·Exploitation is limited to WebTester version 5.x; other versions are not confirmed affected by this specific vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.htmlhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rbhttps://sourceforge.net/p/webtesteronline/bugs/3/https://www.exploit-db.com/exploits/29132https://www.vulncheck.com/advisories/webtester-unauth-command-execution
2025-07-31
Published