CVE-2012-10054
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-09-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| umbraco | umbraco_cms | to 4.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2012-10054 is a critical remote code execution vulnerability in Umbraco CMS versions prior to 4.7.1. It occurs because the codeEditorSave.asmx SOAP endpoint exposes a SaveDLRScript operation that allows unauthenticated users to upload arbitrary files. Due to a path traversal flaw in the fileName parameter, attackers can upload malicious ASPX scripts directly into the web-accessible /umbraco/ directory. Once uploaded, these scripts can be executed remotely, allowing attackers to run arbitrary code on the server without any authentication or user interaction. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the affected server. Attackers can upload and execute malicious ASPX scripts, potentially gaining control over the web server, accessing sensitive data, modifying or deleting files, and disrupting service availability. Since the exploit requires no authentication and no user interaction, it can be exploited remotely over the network, making it highly dangerous and easy to abuse. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability can be performed by sending crafted SOAP requests to the codeEditorSave.asmx endpoint, specifically targeting the SaveDLRScript operation with path traversal payloads in the fileName parameter. One can use tools like curl or Burp Suite to send such requests and observe responses. For example, sending a SOAP request with a filename containing directory traversal sequences (e.g., /..\..\..\umbraco\test.aspx) and checking if the server responds with an HTTP 500 error containing the message "Cannot use a leading ..to exit above the top directory" can indicate the presence of the vulnerability. Additionally, scanning for unexpected ASPX files in the /umbraco/ directory or monitoring for unusual HTTP GET requests to newly created ASPX files may help detect exploitation attempts. Using the Metasploit module (EDB-19671) can also automate detection and exploitation steps. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Umbraco CMS to version 4.7.1 or later, where this vulnerability is patched. If upgrading is not immediately possible, restrict access to the codeEditorSave.asmx SOAP endpoint by implementing network-level controls such as firewall rules or IP whitelisting to prevent unauthenticated access. Additionally, remove or disable the SaveDLRScript operation if feasible, and monitor the /umbraco/ directory for unauthorized ASPX files. Minimizing publicly exposed functionality and removing unnecessary or dangerous features can reduce the attack surface. Applying vendor security patches promptly is critical to prevent exploitation. [1, 4]