CVE-2011-10013 | Traq versions 2.0 through 2.3 contain a remote code executio… | CVSS 10.0 CRITICAL

Description

Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization logic fails to halt execution after a failed access check, allowing unauthenticated users to reach admin-only functionality. This can be exploited via plugins.php to inject and execute arbitrary PHP code.

Metadata

CVE ID: CVE-2011-10013
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2025-08-12 20:15 UTC
Published: 2025-08-13 20:54 UTC
Last updated: 2026-05-25 23:40 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: Traq Project / Issue Tracking System
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Traq Project	Issue Tracking System	—	2.0 ≤ 2.3

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306 Missing Authentication for Critical Function
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (6)