CVE-2013-4885

medium

Published 2013-10-26 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.8

Description

The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-38741 remote linux verified

Piotr Duszynski · 2013-08-06

Nmap - Arbitrary File Write

Source code queued for fetch — refresh in a moment.

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
12.3	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`6.40-0.1`
sid	Fixed	`6.40-0.1`
forky	Fixed	`6.40-0.1`
bullseye	Fixed	`6.40-0.1`
bookworm	Fixed	`6.40-0.1`

Application impact

Vendor	Product	Versions
nmap	nmap	`{"endIncluding":"6.25"}`
nmap	nmap	`2.1`
nmap	nmap	`2.2`
nmap	nmap	`2.3`
nmap	nmap	`2.05`
nmap	nmap	`2.06`
nmap	nmap	`2.07`
nmap	nmap	`2.08`
nmap	nmap	`2.09`
nmap	nmap	`2.10`
nmap	nmap	`2.11`
nmap	nmap	`2.12`
nmap	nmap	`2.50`
nmap	nmap	`2.51`
nmap	nmap	`2.52`
nmap	nmap	`2.53`
nmap	nmap	`2.54`
nmap	nmap	`2.99`
nmap	nmap	`3.00`
nmap	nmap	`3.10`
nmap	nmap	`3.15`
nmap	nmap	`3.20`
nmap	nmap	`3.25`
nmap	nmap	`3.26`
nmap	nmap	`3.27`
nmap	nmap	`3.28`
nmap	nmap	`3.30`
nmap	nmap	`3.40`
nmap	nmap	`3.45`
nmap	nmap	`3.48`
nmap	nmap	`3.50`
nmap	nmap	`3.55`
nmap	nmap	`3.70`
nmap	nmap	`3.75`
nmap	nmap	`3.81`
nmap	nmap	`3.90`
nmap	nmap	`3.91`
nmap	nmap	`3.93`
nmap	nmap	`3.94`
nmap	nmap	`3.95`
nmap	nmap	`3.96`
nmap	nmap	`3.98`
nmap	nmap	`3.99`
nmap	nmap	`3.999`
nmap	nmap	`3.9999`
nmap	nmap	`4.00`
nmap	nmap	`4.01`
nmap	nmap	`4.02`
nmap	nmap	`4.03`
nmap	nmap	`4.04`
nmap	nmap	`4.10`
nmap	nmap	`4.11`
nmap	nmap	`4.20`
nmap	nmap	`4.21`
nmap	nmap	`4.22`
nmap	nmap	`4.49`
nmap	nmap	`4.50`
nmap	nmap	`4.51`
nmap	nmap	`4.52`
nmap	nmap	`4.53`
nmap	nmap	`4.60`
nmap	nmap	`4.62`
nmap	nmap	`4.65`
nmap	nmap	`4.68`
nmap	nmap	`4.75`
nmap	nmap	`4.76`
nmap	nmap	`4.85`
nmap	nmap	`4.90`
nmap	nmap	`5.00`
nmap	nmap	`5.10`
nmap	nmap	`5.20`
nmap	nmap	`5.21`
nmap	nmap	`5.30`
nmap	nmap	`5.35`
nmap	nmap	`5.50`
nmap	nmap	`5.51`
nmap	nmap	`5.59`
nmap	nmap	`5.61`
nmap	nmap	`6.00`
nmap	nmap	`6.01`
nmap	nmap	`6.20`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.