CVE-2012-10033
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| narcissus | narcissus | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Narcissus allows remote code execution because the backend.php script does not properly sanitize the 'release' parameter before passing it to the configure_image() function. This function uses PHP's passthru() with the unsanitized input, enabling attackers to inject and execute arbitrary system commands on the server via a crafted POST request.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary system commands on the web server with the same privileges as the web server process. This can lead to full system compromise, data theft, service disruption, or further attacks within the affected environment.