Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/87182?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/87182?format=api", "vulnerability_id": "VCID-af16-fznf-9kbc", "summary": "An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension validation and authentication checks, allowing remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once uploaded, the attacker can access the file directly under havalite/tmp/files/, resulting in remote code execution.", "aliases": [ { "alias": "CVE-2013-10055" } ], "fixed_packages": [], "affected_packages": [], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2013-10055", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.83702", "scoring_system": "epss", "scoring_elements": "0.99309", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.83702", "scoring_system": "epss", "scoring_elements": "0.99313", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.83702", "scoring_system": "epss", "scoring_elements": "0.99312", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-10055" }, { "reference_url": "https://www.exploit-db.com/exploits/26243", "reference_id": "26243", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-04T14:20:04Z/" } ], "url": "https://www.exploit-db.com/exploits/26243" }, { "reference_url": "https://sourceforge.net/projects/havalite/", "reference_id": "havalite", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-04T14:20:04Z/" } ], "url": "https://sourceforge.net/projects/havalite/" }, { "reference_url": "https://www.vulncheck.com/advisories/havalite-cms-arbitary-file-upload-rce", "reference_id": "havalite-cms-arbitary-file-upload-rce", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-04T14:20:04Z/" } ], "url": "https://www.vulncheck.com/advisories/havalite-cms-arbitary-file-upload-rce" }, { "reference_url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "reference_id": "havalite_upload_exec.rb", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-04T14:20:04Z/" } ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/havalite_upload_exec.rb" } ], "weaknesses": [ { "cwe_id": 434, "name": "Unrestricted Upload of File with Dangerous Type", "description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment." } ], "exploits": [ { "date_added": null, "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.", "required_action": null, "due_date": null, "notes": "Reliability:\n - unknown-reliability\nStability:\n - unknown-stability\nSideEffects:\n - unknown-side-effects\n", "known_ransomware_campaign_use": false, "source_date_published": "2013-06-17", "exploit_type": null, "platform": "Linux,PHP", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/webapp/havalite_upload_exec.rb" } ], "severity_range_score": "9.3 - 9.3", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-af16-fznf-9kbc" }