Total
2510 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24249 | 1 Laravel-admin | 1 Laravel-admin | 2024-08-02 | 7.2 High |
| An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2023-24202 | 1 Oretnom23 | 1 Raffle Draw System | 2024-08-02 | 9.8 Critical |
| Raffle Draw System v1.0 was discovered to contain a local file inclusion vulnerability via the page parameter in index.php. | ||||
| CVE-2023-24045 | 1 Dataiku | 1 Data Science Studio | 2024-08-02 | 6.5 Medium |
| In Dataiku DSS 11.2.1, an attacker can download other Dataiku files that were uploaded to the myfiles section by specifying the target username in a download request. | ||||
| CVE-2023-23970 | 1 Woorockets | 1 Corsa | 2024-08-02 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in WooRockets Corsa.This issue affects Corsa: from n/a through 1.5. | ||||
| CVE-2023-23937 | 1 Pimcore | 1 Pimcore | 2024-08-02 | 8.2 High |
| Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain. This issue has been patched in version 10.5.16. | ||||
| CVE-2023-23851 | 1 Sap | 1 Business Planning And Consolidation | 2024-08-02 | 5.4 Medium |
| SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent impacting the confidentiality and integrity of the system. | ||||
| CVE-2023-23135 | 1 Ftdms Project | 1 Ftdms | 2024-08-02 | 7.2 High |
| An arbitrary file upload vulnerability in Ftdms v3.1.6 allows attackers to execute arbitrary code via uploading a crafted JPG file. | ||||
| CVE-2023-23328 | 1 Avantfax | 1 Avantfax | 2024-08-02 | 8.8 High |
| A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. | ||||
| CVE-2023-22937 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-08-02 | 4.3 Medium |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. | ||||
| CVE-2023-22851 | 1 Tiki | 1 Tiki | 2024-08-02 | 7.2 High |
| Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. | ||||
| CVE-2023-22890 | 1 Smartbear | 1 Zephyr Enterprise | 2024-08-02 | 7.5 High |
| SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition. | ||||
| CVE-2023-22726 | 1 Act Project | 1 Act | 2024-08-02 | 8 High |
| act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually. | ||||
| CVE-2023-22504 | 1 Atlassian | 1 Confluence Server | 2024-08-02 | 6.5 Medium |
| Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. | ||||
| CVE-2023-22450 | 1 Advantech | 1 Webaccess\/scada | 2024-08-02 | 7.2 High |
| In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution. | ||||
| CVE-2023-20196 | 1 Cisco | 1 Identity Services Engine | 2024-08-02 | 4.7 Medium |
| Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device. The attacker could later use those files to conduct additional attacks, including executing arbitrary code on the affected device with root privileges. | ||||
| CVE-2023-20195 | 1 Cisco | 1 Identity Services Engine | 2024-08-02 | 4.7 Medium |
| Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device. The attacker could later use those files to conduct additional attacks, including executing arbitrary code on the affected device with root privileges. | ||||
| CVE-2023-20134 | 1 Cisco | 1 Webex Meetings | 2024-08-02 | 5.4 Medium |
| Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-7212 | 1 Dedecms | 1 Dedecms | 2024-08-02 | 4.7 Medium |
| A vulnerability classified as critical has been found in DeDeCMS up to 5.7.112. Affected is an unknown function of the file file_class.php of the component Backend. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249768. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-20009 | 1 Cisco | 2 Email Security Appliance, Secure Email And Web Manager | 2024-08-02 | 6.5 Medium |
| A vulnerability in the Web UI and administrative CLI of the Cisco Secure Email Gateway (ESA) and Cisco Secure Email and Web Manager (SMA) could allow an authenticated remote attacker and or authenticated local attacker to escalate their privilege level and gain root access. The attacker has to have a valid user credential with at least a [[privilege of operator - validate actual name]]. The vulnerability is due to the processing of a specially crafted SNMP configuration file. An attacker could exploit this vulnerability by authenticating to the targeted device and uploading a specially crafted SNMP configuration file that when uploaded could allow for the execution of commands as root. An exploit could allow the attacker to gain root access on the device. | ||||
| CVE-2023-20073 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2024-08-02 | 5.3 Medium |
| A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device. | ||||