Description

An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability enables remote code execution without prior authentication and was resolved in version 6.3.0.2 by removing the vulnerable uploadImage.asp endpoint.

INFO

Published Date :

2025-07-31T14:56:30.930Z

Last Modified :

2025-07-31T19:22:42.274Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2013-10034 vulnerability.

Vendors Products
Kaseya
  • Kserver
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2013-10034.

URL Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb cve-icon cve-icon
https://web.archive.org/web/20150210113922/http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf cve-icon cve-icon
https://www.exploit-db.com/exploits/29675 cve-icon cve-icon
https://www.vulncheck.com/advisories/kaseya-arbitrary-file-upload-rce cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability