QwikSec

Security Database

CVE

CWE

Training

CVE-2013-10032

Published: Jul 25, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.

Vendor	Product	Versions
GetSimple CMS Project	GetSimple CMS	affected `3.2.1`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb

exploit

https://www.exploit-db.com/exploits/25405

exploit

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895

third-party-advisory

https://www.fortiguard.com/encyclopedia/ips/39295

third-party-advisory

https://get-simple.info

product

https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.