CVE-2012-10045

CRITICAL

XODA 0.4.5 - Unauthenticated Arbitrary PHP File Upload via Multipart Form Data

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-10045. PoCs published by Metasploit, Shai rod, Shai rod, juan vazquez, including Metasploit module exploits/unix/webapp/xoda_file_upload.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated arbitrary PHP file upload vulnerability in XODA 0.4.5, allowing remote code execution by uploading a malicious PHP file via a multipart form request.

Description

XODA version 0.4.5 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary PHP code on the server. The flaw resides in the upload functionality, which fails to properly validate or restrict uploaded file types. By crafting a multipart/form-data POST request, an attacker can upload a .php file directly into the web-accessible files/ directory and trigger its execution via a subsequent GET request.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/20713

This Metasploit module exploits an unauthenticated arbitrary PHP file upload vulnerability in XODA 0.4.5, allowing remote code execution by uploading a malicious PHP file via a multipart form request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XODA 0.4.5
No auth needed
Prerequisites: Network access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Shai rod · textwebappsphp
https://www.exploit-db.com/exploits/20703

This is a vulnerability writeup describing stored XSS and arbitrary file upload vulnerabilities in XODA Document Management System version 0.4.5. It includes steps to reproduce the vulnerabilities but does not contain exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: XODA Document Management System 0.4.5
No auth needed
Prerequisites: access to the vulnerable application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Shai rod, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/xoda_file_upload.rb

This Metasploit module exploits an unauthenticated arbitrary PHP file upload vulnerability in XODA 0.4.5, allowing remote code execution by uploading a malicious PHP file via a multipart form request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XODA 0.4.5
No auth needed
Prerequisites: Network access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 9.3
EPSS 0.0106
EPSS Percentile 60.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
XODA/XODA 0.4.5
Published Aug 08, 2025
Tracked Since Feb 18, 2026