Sflog! CMS 1.0 contains an authenticated arbitrary file upload vulnerability in the blog management interface. The application ships with default credentials (admin:secret) and allows authenticated users to upload files via manage.php. The upload mechanism fails to validate file types, enabling attackers to upload a PHP backdoor into a web-accessible directory (blogs/download/uploads/). Once uploaded, the file can be executed remotely, resulting in full remote code execution.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 12 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Sflog
Sflog sflog
Vendors & Products Sflog
Sflog sflog

Fri, 08 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 08 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Sflog! CMS 1.0 contains an authenticated arbitrary file upload vulnerability in the blog management interface. The application ships with default credentials (admin:secret) and allows authenticated users to upload files via manage.php. The upload mechanism fails to validate file types, enabling attackers to upload a PHP backdoor into a web-accessible directory (blogs/download/uploads/). Once uploaded, the file can be executed remotely, resulting in full remote code execution.
Title Sflog! CMS 1.0 Arbitrary File Upload RCE
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-08T18:49:25.841Z

Reserved: 2025-08-07T20:09:09.351Z

Link: CVE-2012-10042

cve-icon Vulnrichment

Updated: 2025-08-08T18:49:14.454Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-08T19:15:34.000

Modified: 2025-08-08T20:30:18.180

Link: CVE-2012-10042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T11:47:21Z