CVE-2013-10055
published 2025-08-01CVE-2013-10055: An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application…
PriorityP273critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.34%
67.9th percentile
An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension validation and authentication checks, allowing remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once uploaded, the attacker can access the file directly under havalite/tmp/files/, resulting in remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| havalite_cms | havalite_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated multipart/form-data POST requests to upload.php on Havalite CMS installations ↗
- →Alert on PHP file creation or access under the havalite/tmp/files/ directory, which is the webshell drop location ↗
- →Detect exploitation attempts via Metasploit module havalite_upload_exec targeting Havalite CMS 1.1.7 and prior ↗
- ·The vulnerability affects Havalite CMS 1.1.7 and possibly earlier versions; the exact lower version boundary is unconfirmed ↗
- ·No authentication is required to reach the vulnerable upload.php endpoint, meaning the attack surface is fully exposed on any internet-facing Havalite instance ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/havalite_upload_exec.rbhttps://sourceforge.net/projects/havalite/https://www.exploit-db.com/exploits/26243https://www.vulncheck.com/advisories/havalite-cms-arbitary-file-upload-rcehttps://www.exploit-db.com/exploits/26243
2025-08-01
Published