CVE-2013-10054
LibrettoCMS File Manager Arbitrary File Upload
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager plugin. The upload handler located at adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php fails to properly validate file extensions, allowing attackers to upload files with misleading extensions and subsequently rename them to executable .php scripts. This enables remote code execution on the server without authentication.
| CWE | CWE-434 |
| Vendor | librettocms |
| Product | librettocms |
| Published | Aug 4, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for librettocms librettocms
Be the first to know when new unknown vulnerabilities affecting librettocms librettocms are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
LibrettoCMS / LibrettoCMS
1.1.7
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/libretto_upload_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/26213 exploit-db.com: https://www.exploit-db.com/exploits/26421 sourceforge.net: https://sourceforge.net/projects/librettocms/ vulncheck.com: https://www.vulncheck.com/advisories/librettocms-file-manager-arbitrary-file-upload
Credits
CWH sinn3r