CVE-2012-10045

CRITICAL

XODA 0.4.5 - RCE

Title source: llm

Description

XODA version 0.4.5 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary PHP code on the server. The flaw resides in the upload functionality, which fails to properly validate or restrict uploaded file types. By crafting a multipart/form-data POST request, an attacker can upload a .php file directly into the web-accessible files/ directory and trigger its execution via a subsequent GET request.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/20713

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Shai rod · textwebappsphp

https://www.exploit-db.com/exploits/20703

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Shai rod, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/xoda_file_upload.rb

View Code ZIP pw:eip

References (6)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/xoda_file_upload.rb

[Various Sources] https://xoda.org/

[Product] https://sourceforge.net/projects/xoda/

[Third Party Advisory] https://www.vulncheck.com/advisories/xoda-arbitrary-php-file-upload

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/20703

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/20713

Scores

CVSS v4 9.3

EPSS 0.6972

EPSS Percentile 98.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-434

Status published

Products (1)

XODA/XODA 0.4.5

Published Aug 08, 2025

Tracked Since Feb 18, 2026