CVE-2012-10049

WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
VulnCheckCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/catchpoint/WebPageTest
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rb
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26148
https://www.exploit-db.com/exploits/19790
https://www.exploit-db.com/exploits/20173
https://www.vulncheck.com/advisories/webpagetest-arbitrary-php-file-upload-rce
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rb
https://www.exploit-db.com/exploits/19790
https://www.exploit-db.com/exploits/20173