A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.
History

Tue, 02 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 31 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache Friends
Apache Friends xampp
Vendors & Products Apache Friends
Apache Friends xampp

Sat, 30 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.
Title XAMPP WebDAV PHP Upload Authentication Bypass RCE
Weaknesses CWE-306
CWE-434
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-09-02T20:37:26.489Z

Reserved: 2025-08-28T18:58:41.548Z

Link: CVE-2012-10062

cve-icon Vulnrichment

Updated: 2025-09-02T20:37:22.678Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-30T14:15:40.230

Modified: 2025-09-02T15:55:25.420

Link: CVE-2012-10062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-31T08:41:31Z