QwikSec

Security Database

CVE

CWE

Training

CVE-2013-10054

Published: Aug 4, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager plugin. The upload handler located at adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php fails to properly validate file extensions, allowing attackers to upload files with misleading extensions and subsequently rename them to executable .php scripts. This enables remote code execution on the server without authentication.

Vendor	Product	Versions
LibrettoCMS	LibrettoCMS	affected `1.1.7`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/libretto_upload_exec.rb

exploit

https://www.exploit-db.com/exploits/26213

exploit

https://www.exploit-db.com/exploits/26421

exploit

https://sourceforge.net/projects/librettocms/

product

https://www.vulncheck.com/advisories/librettocms-file-manager-arbitrary-file-upload

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.