CVE-2013-10051
Published: 01 August 2025
Summary
CVE-2013-10051 is a critical-severity Eval Injection (CWE-95) vulnerability in Instantcms Instantcms. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2013-10051 is a remote PHP code execution vulnerability affecting InstantCMS version 1.6 and earlier. The flaw stems from the unsafe use of the eval() function within the search view handler, where user-supplied input passed via the look parameter is directly concatenated into a PHP expression and executed without proper sanitization. This CWE-95 issue earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the potential for complete compromise.
A remote attacker can exploit this vulnerability by sending a crafted HTTP GET request containing a base64-encoded payload in the Cmd header. No privileges, user interaction, or special access are required, allowing unauthenticated attackers to achieve arbitrary PHP code execution within the context of the web server process. Successful exploitation grants full control over the server, enabling data theft, persistence, or further lateral movement.
Public references, including advisories from Vulncheck and proof-of-concept exploits on Exploit-DB (ID 26622) and PacketStorm, detail the vulnerability but do not specify official patches or mitigations in the provided information. A Metasploit module (unix/webapp/instantcms_exec.rb) exists for automated exploitation, underscoring the need for immediate upgrades or removal of affected InstantCMS installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-7270
Vulnerability details
A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed…
more
without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in public-facing web app via eval of unsanitized input matches T1190 exactly.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents remote PHP code execution by requiring validation of user-supplied input in the look parameter before concatenation into eval().
Requires timely flaw remediation, such as patching or upgrading InstantCMS to eliminate the unsafe eval() usage in the search handler.
Boundary protection via web application firewalls can block crafted HTTP GET requests with malicious base64-encoded payloads targeting the Cmd header.