PT-2025-32397 · Unknown · Mobilecartly
Published
2025-08-08
·
Updated
2025-08-08
·
CVE-2012-10044
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
MobileCartly version 1.0
Description:
MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the
savepage.php script. The application does not perform authentication or authorization checks before using the file put contents() function with attacker-controlled input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP GET requests to the /savepage.php endpoint, specifying both the filename and content. This allows arbitrary file creation within the pages/ directory or any writable path on the server, potentially leading to remote code execution.Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mobilecartly