Critical severityNVD Advisory· Published Jul 31, 2025· Updated Apr 15, 2026

CVE-2013-10037

Description

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

advisories.checkpoint.com/defense/advisories/public/2014/cpai-2014-1620.htmlnvd
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/webtester_exec.rbnvd
sourceforge.net/p/webtesteronline/bugs/3/nvd
www.exploit-db.com/exploits/29132nvd
www.vulncheck.com/advisories/webtester-unauth-command-executionnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.054
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000