CVE-2013-10051
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-10-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| instantcms | instantcms | to 1.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a remote PHP code execution flaw in InstantCMS version 1.6 and earlier. It occurs because the software unsafely uses the eval() function within the search view handler, where user input from the 'look' parameter is concatenated into a PHP expression and executed without proper sanitization. An attacker can exploit this by sending a specially crafted HTTP GET request with a base64-encoded payload in the Cmd header, allowing them to execute arbitrary PHP code on the web server.
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary PHP code on the affected web server, potentially leading to full system compromise. This could result in unauthorized access to sensitive data, modification or deletion of data, disruption of service, or using the server as a foothold for further attacks.