Total
2660 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-29135 | 2024-08-02 | 9.9 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15. | ||||
| CVE-2024-29100 | 2024-08-02 | 9.1 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4. | ||||
| CVE-2024-28520 | 2024-08-02 | 6.5 Medium | ||
| File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component. | ||||
| CVE-2024-28269 | 1 Recrystallize Software | 1 Recrystallive Server | 2024-08-02 | 7.2 High |
| ReCrystallize Server 5.10.0.0 allows administrators to upload files to the server. The file upload is not restricted, leading to the ability to upload of malicious files. This could result in a Remote Code Execution. | ||||
| CVE-2024-28147 | 2024-08-02 | 7.4 High | ||
| An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image (Stored Cross Site Scripting). It is also possible to upload SVG files that include nested XML entities. Those are parsed when a user visits the direct URL of the collection preview image, which may be utilized for a Denial of Service attack. This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19. | ||||
| CVE-2024-27951 | 1 Themeisle | 1 Multiple Page Generator | 2024-08-02 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows Upload a Web Shell to a Web Server.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0. | ||||
| CVE-2024-27311 | 1 Zohocorp | 1 Manageengine Ddi Central | 2024-08-02 | 5.5 Medium |
| Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder. | ||||
| CVE-2024-25869 | 2024-08-01 | 8.8 High | ||
| An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component. | ||||
| CVE-2024-25623 | 2024-08-01 | 8.5 High | ||
| Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue. | ||||
| CVE-2024-24809 | 2024-08-01 | 8.5 High | ||
| Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue. | ||||
| CVE-2024-24551 | 2024-08-01 | N/A | ||
| A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | ||||
| CVE-2024-24550 | 1 Bludit | 1 Bludit | 2024-08-01 | N/A |
| A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | ||||
| CVE-2024-24350 | 1 Softwarepublico | 1 E-sic Livre | 2024-08-01 | 8.8 High |
| File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component. | ||||
| CVE-2024-24393 | 1 Oaooa | 1 Pichome | 2024-08-01 | 9.8 Critical |
| File Upload vulnerability index.php in Pichome v.1.1.01 allows a remote attacker to execute arbitrary code via crafted POST request. | ||||
| CVE-2024-24025 | 1 Xxyopen | 1 Novel-plus | 2024-08-01 | 9.8 Critical |
| An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | ||||
| CVE-2024-24026 | 1 Xxyopen | 1 Novel-plus | 2024-08-01 | 9.8 Critical |
| An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | ||||
| CVE-2024-24000 | 1 Huaxiaerp | 1 Jsherp | 2024-08-01 | 9.8 Critical |
| jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths. | ||||
| CVE-2024-23759 | 1 Gambio | 1 Gambio | 2024-08-01 | 9.8 Critical |
| Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function. | ||||
| CVE-2024-23630 | 1 Motorola | 2 Mr2600, Mr2600 Firmware | 2024-08-01 | 9 Critical |
| An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed. | ||||
| CVE-2024-23534 | 2024-08-01 | N/A | ||
| An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||||