Total
2801 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-46373 | 1 Dedecms | 1 Dedecms | 2024-09-20 | 8.8 High |
| Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend. | ||||
| CVE-2024-27115 | 2 Simple Online Planning, Soplanning | 2 So Planning, Soplanning | 2024-09-18 | 9.8 Critical |
| A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02. | ||||
| CVE-2024-8242 | 1 Inspireui | 1 Mstore Api | 2024-09-18 | 4.3 Medium |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue. | ||||
| CVE-2024-7705 | 2 Fujian, Mainwww | 2 Mwcms, Mwcms | 2024-09-16 | 4.7 Medium |
| A vulnerability was found in Fujian mwcms 1.0.0. It has been declared as critical. Affected by this vulnerability is the function uploadeditor of the file /uploadeditor.html?action=uploadimage of the component Image Upload. The manipulation of the argument upfile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-39397 | 1 Adobe | 2 Commerce, Magento | 2024-09-16 | 9 Critical |
| Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed. | ||||
| CVE-2024-44871 | 1 Mozilo | 1 Mozilocms | 2024-09-13 | 7.2 High |
| An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2022-1206 | 1 Adrotate Banner Manager Project | 1 Adrotate Banner Manager | 2024-09-13 | 7.2 High |
| The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present. | ||||
| CVE-2024-8463 | 1 Phpgurukul | 1 Job Portal | 2024-09-12 | 9.9 Critical |
| File upload restriction bypass vulnerability in PHPGurukul Job Portal 1.0, the exploitation of which could allow an authenticated user to execute an RCE via webshell. | ||||
| CVE-2024-6311 | 1 Funnelforms | 1 Funnelforms Free | 2024-09-12 | 7.2 High |
| The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'af2_add_font' function in all versions up to, and including, 3.7.3.2. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-8232 | 1 Spidercontrol | 1 Scada Webserver | 2024-09-12 | 7.5 High |
| SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication. | ||||
| CVE-2024-7500 | 2 Angeljudesuarez, Itsourcecode | 2 Airline Reservation System, Airline Reservation System | 2024-09-11 | 6.3 Medium |
| A vulnerability was found in itsourcecode Airline Reservation System 1.0. It has been rated as critical. Affected by this issue is the function save_settings of the file admin/admin_class.php. The manipulation of the argument img leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-273626 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-7506 | 2 Angeljudesuarez, Itsourcecode | 2 Tailoring Management System, Tailoring Management System | 2024-09-11 | 6.3 Medium |
| A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /setlogo.php. The manipulation of the argument bgimg leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273649 was assigned to this vulnerability. | ||||
| CVE-2024-44849 | 1 Qualitor | 1 Qalitor | 2024-09-09 | 9.8 Critical |
| Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php. | ||||
| CVE-2024-7620 | 1 The Beaver Builder Team | 1 Cutomizer Export\/import | 2024-09-09 | 6.6 Medium |
| The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created. | ||||
| CVE-2024-8164 | 1 Beikeshop | 2 Beikeshop, Chengdu Everbrite Network Technology | 2024-09-06 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. Affected by this issue is the function rename of the file /Admin/Http/Controllers/FileManagerController.php. The manipulation of the argument new_name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-7694 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2024-09-06 | 7.2 High |
| ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server. | ||||
| CVE-2024-45076 | 2 Ibm, Softwareag | 2 Webmethods Integration, Webmethods | 2024-09-06 | 9.9 Critical |
| IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system. | ||||
| CVE-2024-43249 | 1 Bitapps | 2 Bit Form, Bit Form Pro | 2024-09-06 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4. | ||||
| CVE-2024-40645 | 1 Fogproject | 1 Fogproject | 2024-09-05 | 8.8 High |
| FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41. | ||||
| CVE-2024-8330 | 2 6shr System Project, Gethertechnology | 2 6shr System, 6shr | 2024-09-05 | 8.8 High |
| 6SHR system from Gether Technology does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload web shell scripts and use them to execute arbitrary system commands on the server. | ||||