CVE-2020-10963

HIGH

FrozenNode Laravel-Administrator <5.0.12 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-10963. PoCs published by Xavi Beltran, scopion.

AI-analyzed exploit summary This exploit leverages an unrestricted file upload vulnerability in Laravel Administrator 4 to upload a malicious PHP file disguised as a GIF, which executes a reverse shell when accessed. It requires authentication and targets the file upload functionality.

Description

FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.

Exploits (2)

exploitdb WORKING POC

by Xavi Beltran · pythonwebappsphp

https://www.exploit-db.com/exploits/49112

View Code ZIP pw:eip

This exploit leverages an unrestricted file upload vulnerability in Laravel Administrator 4 to upload a malicious PHP file disguised as a GIF, which executes a reverse shell when accessed. It requires authentication and targets the file upload functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Laravel Administrator 4

Auth required

Prerequisites: Valid admin credentials · Network access to the target · Listener set up for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by scopion · poc

https://github.com/scopion/CVE-2020-10963

View Code ZIP pw:eip

This exploit targets an unrestricted file upload vulnerability in Laravel Administrator 4, allowing authenticated users to upload a malicious PHP file disguised as an image. The payload executes a reverse shell upon access.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FrozenNode Laravel-Administrator version 4

Auth required

Prerequisites: Valid admin credentials · Network access to the target application · Listener setup for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/160243/Laravel-Administrator-4-File-Upload.html

Scores

CVSS v3 7.2

EPSS 0.2242

EPSS Percentile 96.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

frozennode/administrator 0Packagist

frozennode/laravel-administrator < 5.0.12

Published Mar 25, 2020

Tracked Since Feb 18, 2026