CVE-2013-10066 CRITICAL

CVE-2013-10066: Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload

Vendor Kordil
Product EDMS
Weakness CWE-434 · Unrestricted file upload
Published August 5, 2025
Last update April 7, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request.

Key dates

02Disclosure timeline

August 5, 2025 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE