Detections
Analytics

CVE-2013-10038

critical

Description

An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.

References

https://www.vulncheck.com/advisories/flashchat-arbitrary-file-upload-rce

https://www.phpbb.com/community/viewtopic.php?t=2627786

https://www.fortiguard.com/encyclopedia/ips/37342/flashchat-arbitrary-file-upload

https://www.exploit-db.com/exploits/28709

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/flashchat_upload_exec.rb

Details

Source: Mitre, NVD

Published: 2025-07-31

Updated: 2025-07-31

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: Critical

EPSS

EPSS: 0.00136