Home

Description

A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.

PUBLISHED Reserved 2025-08-28 | Published 2025-08-30 | Updated 2025-09-02 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

*
affected

Credits

theLightCosine finder

References

raw.githubusercontent.com/...http/xampp_webdav_upload_php.rb exploit

www.exploit-db.com/exploits/18367 exploit

www.apachefriends.org/index.html product

www.vulncheck.com/...xampp-webdav-php-upload-auth-bypass-rce third-party-advisory

cve.org (CVE-2012-10062)

nvd.nist.gov (CVE-2012-10062)

Download JSON