cbcvebase.
CVE-2013-10038
published 2025-07-31

CVE-2013-10038: An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly…

PriorityP270critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.60%
72.7th percentile
An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.

Affected

2 ranges
VendorProductVersion rangeFixed in
tufatflashchat
tufatflashchat6.0.4 – 6.0.8

Detection & IOCsextracted from sources · hover to see the quote

pathupload.php
versionFlashChat 6.0.2
versionFlashChat 6.0.4 through 6.0.8
  • Monitor for unauthenticated POST requests to upload.php in FlashChat installations, particularly those uploading files with PHP extensions.
  • Alert on web server execution of newly uploaded PHP files in FlashChat web directories, which may indicate successful exploitation and remote code execution.
  • Detect exploitation attempts using the Metasploit module exploits/unix/webapp/flashchat_upload_exec targeting FlashChat 6.0.2 and 6.0.4–6.0.8.
  • ·Exploitation requires no authentication — any unauthenticated attacker with network access to the upload.php endpoint can exploit this vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.