Info Published: Aug 08, 2025 Modified: Aug 08, 2025

CVE-2012-10046

0 CVSS SCORE

Description

The E-Mail Security Virtual Appliance (ESVA) (tested on version ESVA_2057) contains an unauthenticated command injection vulnerability in the learn-msg.cgi script. The CGI handler fails to sanitize user-supplied input passed via the id parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and results in full command execution on the underlying system.

Weaknesses (CWE)

CWE-78

References & External Links

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/esva_exec.rb
https://sourceforge.net/projects/esva-project/
https://www.exploit-db.com/exploits/20551
https://www.exploit-db.com/exploits/20712
https://www.vulncheck.com/advisories/email-security-virtual-appliance-command-injection
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/esva_exec.rb
https://www.exploit-db.com/exploits/20551
https://www.exploit-db.com/exploits/20712

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker