CVE-2008-0148

TUTOS 1.3 - Remote Code Execution via cmd.php cmd Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0148. PoCs published by Houssamix.

AI-analyzed exploit summary The exploit demonstrates a command execution vulnerability in TUTOS version 1.3 via an unauthenticated endpoint. The PoC shows direct command injection through the 'cmd' parameter in the admin interface without requiring authentication.

Description

TUTOS 1.3 does not restrict access to php/admin/cmd.php, which allows remote attackers to execute arbitrary shell commands via the cmd parameter in a direct request.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Houssamix · textwebappsphp
https://www.exploit-db.com/exploits/4861

The exploit demonstrates a command execution vulnerability in TUTOS version 1.3 via an unauthenticated endpoint. The PoC shows direct command injection through the 'cmd' parameter in the admin interface without requiring authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TUTOS 1.3
No auth needed
Prerequisites: Access to the target web server · TUTOS 1.3 installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28291
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/39531
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4861

Scores

EPSS 0.0578
EPSS Percentile 92.1%

Details

CWE
CWE-264
Status published
Products (1)
tutos/tutos 1.3
Published Jan 09, 2008
Tracked Since Feb 18, 2026