Unrestricted File Upload Vulnerability in Kaseya KServer
CVE-2013-10034
Key Information:
Badges
What is CVE-2013-10034?
A significant vulnerability exists in Kaseya KServer that allows unauthenticated users to upload files to arbitrary directories through the uploadImage.asp endpoint. This flaw arises from inadequate input validation and authentication checks, permitting an attacker to upload a crafted file with an .asp extension. Once successfully uploaded, such files can be executed, potentially leading to arbitrary code execution with the privileges of the IUSR account. The issue was addressed in version 6.3.0.2 by eliminating the vulnerable endpoint.
Affected Version(s)
KServer * < 6.3.0.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved