CVE-2012-10033

Narcissus backend.php Image Configuration Command Injection

Description

Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Specifically, the backend.php script fails to sanitize the release parameter before passing it to the configure_image() function. This function invokes PHP’s passthru() with the unsanitized input, allowing attackers to inject arbitrary system commands. Exploitation occurs via a crafted POST request, resulting in command execution under the web server’s context.

INFO

Published Date :

2025-08-05T20:03:59.143Z

Last Modified :

2026-04-07T14:02:30.478Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2012-10033 vulnerability.

Vendors	Products
Angstrom Distribution	Narcissus

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2012-10033.

URL	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/narcissus_backend_exec.rb
https://web.archive.org/web/20101127002623/https://narcissus.angstrom-distribution.org/
https://www.exploit-db.com/exploits/22709
https://www.exploit-db.com/exploits/22856
https://www.vulncheck.com/advisories/narcissus-image-config-command-injection

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability