CVE-2013-10032
Published: 25 July 2025
Summary
CVE-2013-10032 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Get-Simple Getsimplecms. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates validation of file uploads at entry points to block malicious files bypassing MIME type and extension blacklists via whitelisting allowed types.
Restricts types of information inputs like file uploads to only permitted MIME types and extensions, preventing arbitrary file acceptance at the upload.php endpoint.
Requires timely remediation of the specific flaw in upload.php through patches or updates to GetSimpleCMS, eliminating the blacklist-based vulnerability.
NVD Description
An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker…
more
can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.
Deeper analysisAI
CVE-2013-10032 is an authenticated remote code execution vulnerability in GetSimpleCMS version 3.2.1, specifically affecting the upload.php endpoint. The flaw arises from inadequate validation of MIME types or file extensions, relying on a blacklist-based filtering mechanism rather than a whitelist. This allows attackers to upload arbitrary files, such as .pht files containing PHP code, which bypasses restrictions and places executable payloads within the web root. A crafted request with a polyglot or disguised extension enables direct execution of the code via web server access. The vulnerability is rated 8.8 on CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated users with low privileges can exploit this vulnerability remotely over the network. By leveraging the upload.php endpoint, an attacker authenticates, uploads a malicious .pht file embedding PHP code, and then accesses the file directly through the web server to trigger execution. Successful exploitation grants arbitrary code execution on the server, potentially leading to full compromise including data theft, modification, or server takeover, with high impacts on confidentiality, integrity, and availability.
Security references for CVE-2013-10032 include the GetSimpleCMS website, a Metasploit Framework exploit module for unix/webapp/get_simple_cms_upload_exec, an Exploit-DB entry (25405), and IPS signatures from Broadcom (ASID 27895) and FortiGuard (39295). These resources document public exploits and detection rules, highlighting the need for input validation fixes like whitelisting allowed file types, restricting upload directories outside the web root, and applying available CMS updates or migrations to patched versions.
Details
- CWE(s)