CVE-2013-10037

WebTester 5.x - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/29132

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/webtester_exec.rb

View Code ZIP pw:eip

References (5)

[Various Sources] https://advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.html

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rb

[Product] https://sourceforge.net/p/webtesteronline/bugs/3/

[Third Party Advisory] https://www.vulncheck.com/advisories/webtester-unauth-command-execution

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/29132

Scores

EPSS 0.6721

EPSS Percentile 98.5%

Classification

CWE

CWE-78

Status draft

Timeline

Published Jul 31, 2025

Tracked Since Feb 18, 2026