QwikSec

Security Database

CVE

CWE

Training

CVE-2013-10038

Published: Jul 31, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.

Vendor	Product	Versions
TUFaT	FlashChat	affected `6.0.2` affected `6.0.4 - <= 6.0.8`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/flashchat_upload_exec.rb

exploit

https://www.exploit-db.com/exploits/28709

exploit

https://www.fortiguard.com/encyclopedia/ips/37342/flashchat-arbitrary-file-upload

third-party-advisory

https://www.phpbb.com/community/viewtopic.php?t=2627786

https://www.vulncheck.com/advisories/flashchat-arbitrary-file-upload-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.