CVE-2012-10024
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
XBMC version 11.0 contains a path traversal vulnerability in its embedded HTTP server. When accessed via HTTP Basic Authentication, the server fails to properly sanitize URI input, allowing authenticated users to request files outside the intended document root. An attacker can exploit this flaw to read arbitrary files from the host filesystem, including sensitive configuration or credential files.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
References
- https://github.com/xbmc/xbmc
- https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/gather/xbmc_traversal.rb
- https://www.ioactive.com/wp-content/uploads/pdfs/Security_Advisory_XBMC.pdf
- https://www.vulncheck.com/advisories/xbmc-web-server-path-traversal
CWEs
CWE-22
Verify integrity in audit chain (admin only). AS-IS.