CVE-2020-13887
Description
Kordil EDMS <=2.2.60rc3 allows remote command execution by uploading a .php file via documents_add.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kordil EDMS <=2.2.60rc3 allows remote command execution by uploading a .php file via documents_add.php.
Vulnerability
documents_add.php in Kordil EDMS through version 2.2.60rc3 does not validate file extensions, allowing users to upload .php files to the documents folder. This enables remote command execution upon accessing the uploaded file [1].
Exploitation
An attacker with network access to the Kordil EDMS web interface can upload a malicious .php file via documents_add.php without authentication. The attacker then triggers execution by visiting the uploaded file's URL.
Impact
Successful exploitation grants the attacker arbitrary command execution on the server with the privileges of the web server user, leading to full system compromise.
Mitigation
No official patch was available as of publication (2020-06-22). Users should restrict access to documents_add.php via firewall or authentication, and consider blocking .php file uploads. Check the SourceForge page [1] for future updates.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Kordil/EDMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- hidden-one.co.in/2020/06/17/cve-2020-13887-kordil-edms-through-2-2-60rc3-allows-remote-command-execution/mitrex_refsource_MISC
- sourceforge.net/projects/kordiledms/files/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.