CVSS: 9.8EPSS: 38%CPEs: 1EXPL: 3CVE-2013-10034 – Kaseya < 6.3.0.2 uploadImage.asp Arbitrary File Upload RCE
https://notcve.org/view.php?id=CVE-2013-10034
31 Jul 2025 — An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability en... • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2021-40386
https://notcve.org/view.php?id=CVE-2021-40386
15 Apr 2022 — Kaseya Unitrends Client/Agent through 10.5,5 allows remote attackers to execute arbitrary code. El cliente/agente de Kaseya Unitrends versiones hasta 10.5,5 permite a atacantes remotos ejecutar código arbitrario • https://csirt.divd.nl/cves/CVE-2021-40386 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43043
https://notcve.org/view.php?id=CVE-2021-43043
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The apache user could read arbitrary files such as /etc/shadow by abusing an insecure Sudo rule. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. El usuario apache podía leer archivos arbitrarios como /etc/shadow al abusar de una regla Sudo no segura • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43039
https://notcve.org/view.php?id=CVE-2021-43039
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. El servicio de intercambio de archivos Samba permitía el acceso anónimo de lectura/escritura • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43036
https://notcve.org/view.php?id=CVE-2021-43036
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The password for the PostgreSQL wguest account is weak. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. La contraseña de la cuenta wguest de PostgreSQL es débil • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 • CWE-521: Weak Password Requirements •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 2CVE-2021-43042
https://notcve.org/view.php?id=CVE-2021-43042
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A buffer overflow existed in the vaultServer component. This was exploitable by a remote unauthenticated attacker. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. Se presentaba un desbordamiento del búfer en el componente vaultServer. • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 2CVE-2021-43035
https://notcve.org/view.php?id=CVE-2021-43035
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. Se detectaron dos vulnerabilidades de inyección SQL no autenticadas, que permitían inye... • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43041
https://notcve.org/view.php?id=CVE-2021-43041
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A crafted HTTP request could induce a format string vulnerability in the privileged vaultServer application. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. Una petición HTTP diseñada podría inducir una vulnerabilidad de cadena de formato en la aplicación privilegiada vaultServer • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43037
https://notcve.org/view.php?id=CVE-2021-43037
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Unitrends Windows agent was vulnerable to DLL injection and binary planting due to insecure default permissions. This allowed privilege escalation from an unprivileged user to SYSTEM. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. El agente de Unitrends para Windows era vulnerable a una inyección de DLL y una siembra de binarios debido a permisos no seguros por defecto. • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 • CWE-427: Uncontrolled Search Path Element •
CVSS: 10.0EPSS: 14%CPEs: 1EXPL: 2CVE-2021-43033
https://notcve.org/view.php?id=CVE-2021-43033
06 Dec 2021 — An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Multiple functions in the bpserverd daemon were vulnerable to arbitrary remote code execution as root. The vulnerability was caused by untrusted input (received by the server) being passed to system calls. Se ha detectado un problema en Kaseya Unitrends Backup Appliance versiones anteriores a 10.5.5. Múltiples funciones en el demonio bpserverd eran vulnerables a una ejecución de código remota arbitrario como root. • https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •