ByteOS Network

NVD Vulnerability Details :

CVE-2012-10024

Awaiting Analysis

Source-disclosure@vulncheck.com

Published At-05 Aug, 2025 | 20:15

Updated At-05 Aug, 2025 | 21:06

XBMC version 11, including builds up to the 2012-11-04 nightly release, contains a path traversal vulnerability in its embedded HTTP server. When accessed via HTTP Basic Authentication, the server fails to properly sanitize URI input, allowing authenticated users to request files outside the intended document root. An attacker can exploit this flaw to read arbitrary files from the host filesystem, including sensitive configuration or credential files.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.1	HIGH	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-22	Secondary	disclosure@vulncheck.com

CWE ID: CWE-22

Type: Secondary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/xbmc/xbmc	disclosure@vulncheck.com	N/A
https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335	disclosure@vulncheck.com	N/A
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/gather/xbmc_traversal.rb	disclosure@vulncheck.com	N/A
https://www.ioactive.com/wp-content/uploads/pdfs/Security_Advisory_XBMC.pdf	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/xbmc-web-server-path-traversal	disclosure@vulncheck.com	N/A