QwikSec

Security Database

CVE

CWE

Training

CVE-2013-10037

Published: Jul 31, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.

Vendor	Product	Versions
Eppler Software	WebTester	affected `5.0`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rb

exploit

https://sourceforge.net/p/webtesteronline/bugs/3/

issue-tracking

https://www.exploit-db.com/exploits/29132

exploit

https://advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.html

third-party-advisory

https://www.vulncheck.com/advisories/webtester-unauth-command-execution

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.