CVE-2013-10032

Name of the Vulnerable Software and Affected Versions GetSimpleCMS version 3.2.1

Description An authenticated remote code execution issue exists in the application. The upload.php API endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. An attacker can bypass blacklist-based restrictions by uploading a .pht file containing PHP code, placing executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. The issue is due to the use of a blacklist for filtering file types instead of a whitelist.

Recommendations Update to a newer version that contains a fix for this vulnerability.