CVE-2012-10044 | MobileCartly version 1.0 contains an arbitrary file creation… | CVSS 10.0 CRITICAL

Description

MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the savepage.php script. The application fails to perform authentication or authorization checks before invoking file_put_contents() on attacker-controlled input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP GET requests to savepage.php, specifying both the filename and content. This allows arbitrary file creation within the pages/ directory or any writable path on the server, allowing remote code execution.

Metadata

CVE ID: CVE-2012-10044
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2025-08-07 20:23 UTC
Published: 2025-08-08 18:11 UTC
Last updated: 2026-04-07 14:02 UTC
Primary CWE: CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product: MobileCartly / MobileCartly
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
MobileCartly	MobileCartly	—	1.0

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	CWE-434 Unrestricted Upload of File with Dangerous Type

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (5)