{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2013-10037", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-07-30T16:27:28.910Z", "datePublished": "2025-07-31T15:01:44.165Z", "dateUpdated": "2026-04-07T14:02:59.797Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["/install2.php"], "product": "WebTester", "vendor": "Eppler Software", "versions": [{"status": "affected", "version": "5.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "bcoles"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An OS command injection vulnerability exists in WebTester version 5.x via the <code>install2.php</code> installation script. The parameters <code>cpusername</code>, <code>cppassword</code>, and <code>cpdomain</code> are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges."}], "value": "An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T14:02:59.797Z"}, "references": [{"tags": ["exploit"], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rb"}, {"tags": ["issue-tracking"], "url": "https://sourceforge.net/p/webtesteronline/bugs/3/"}, {"tags": ["exploit"], "url": "https://www.exploit-db.com/exploits/29132"}, {"tags": ["third-party-advisory"], "url": "https://advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.html"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/webtester-unauth-command-execution"}], "source": {"discovery": "UNKNOWN"}, "title": "WebTester 5.x install2.php Unauthenticated Command Execution", "x_generator": {"engine": "Vulnogram 0.2.0"}, "datePublic": "2013-10-22T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-31T15:23:44.203497Z", "id": "CVE-2013-10037", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T15:23:56.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2013-10037", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-31T15:23:44.203497Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T15:23:47.643Z"}}], "cna": {"title": "WebTester 5.x install2.php Unauthenticated Command Execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "bcoles"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eppler Software", "modules": ["/install2.php"], "product": "WebTester", "versions": [{"status": "affected", "version": "5.0"}], "defaultStatus": "unknown"}], "datePublic": "2013-10-22T00:00:00.000Z", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rb", "tags": ["exploit"]}, {"url": "https://sourceforge.net/p/webtesteronline/bugs/3/", "tags": ["issue-tracking"]}, {"url": "https://www.exploit-db.com/exploits/29132", "tags": ["exploit"]}, {"url": "https://advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.html", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/webtester-unauth-command-execution", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.", "supportingMedia": [{"type": "text/html", "value": "An OS command injection vulnerability exists in WebTester version 5.x via the <code>install2.php</code> installation script. The parameters <code>cpusername</code>, <code>cppassword</code>, and <code>cpdomain</code> are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T14:02:59.797Z"}}}, "cveMetadata": {"cveId": "CVE-2013-10037", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:02:59.797Z", "dateReserved": "2025-07-30T16:27:28.910Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-07-31T15:01:44.165Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en WebTester versi\u00f3n 5.x mediante el script de instalaci\u00f3n install2.php. Los par\u00e1metros cpusername, cppassword y cpdomain se pasan directamente a los comandos de shell sin depurarlos. Un atacante remoto no autenticado puede explotar esta vulnerabilidad enviando una solicitud HTTP POST manipulada, lo que resulta en la ejecuci\u00f3n de comandos arbitrarios en el sistema subyacente con privilegios de servidor web."}], "id": "CVE-2013-10037", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-07-31T15:15:33.417", "references": [{"source": "disclosure@vulncheck.com", "url": "https://advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.html"}, {"source": "disclosure@vulncheck.com", "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rb"}, {"source": "disclosure@vulncheck.com", "url": "https://sourceforge.net/p/webtesteronline/bugs/3/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/29132"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/webtester-unauth-command-execution"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"created": "2025-07-31T20:20:39.203911+00:00", "updated": "2025-07-31T20:20:39.203969+00:00", "vendors": ["eppler_software", "eppler_software$PRODUCT$webtester", "webtester", "webtester$PRODUCT$webtester"]}