An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request.
Metrics
Affected Vendors & Products
References
History
Thu, 07 Aug 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 07 Aug 2025 07:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Kordil Edms Project
Kordil Edms Project kordil Edms |
|
Vendors & Products |
Kordil Edms Project
Kordil Edms Project kordil Edms |
Tue, 05 Aug 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request. | |
Title | Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload | |
Weaknesses | CWE-434 | |
References |
|
|
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-08-05T20:02:54.434Z
Updated: 2025-08-07T13:50:54.846Z
Reserved: 2025-08-05T13:49:05.236Z
Link: CVE-2013-10066

Updated: 2025-08-07T13:50:51.276Z

Status : Awaiting Analysis
Published: 2025-08-05T20:15:35.237
Modified: 2025-08-07T14:15:40.560
Link: CVE-2013-10066

No data.