Total
2498 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2016-2914 | 1 Ibm | 1 Rational Publishing Engine | 2024-08-05 | N/A |
Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by specifying an unexpected file extension. | ||||
CVE-2016-1713 | 1 Vtiger | 1 Vtiger Crm | 2024-08-05 | N/A |
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. | ||||
CVE-2017-1002002 | 1 Webapp-builder Project | 1 Webapp-builder | 2024-08-05 | N/A |
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/ | ||||
CVE-2017-1002001 | 1 Mobile-app-builder-by-wappress Project | 1 Mobile-app-builder-by-wappress | 2024-08-05 | N/A |
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. | ||||
CVE-2017-1002008 | 1 Membership Simplified Project | 1 Membership Simplified | 2024-08-05 | 9.8 Critical |
Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges. | ||||
CVE-2017-1002000 | 1 Mobile-friendly-app-builder-by-easytouch Project | 1 Mobile-friendly-app-builder-by-easytouch | 2024-08-05 | N/A |
Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content. | ||||
CVE-2017-1002003 | 1 Wp2android-turn-wp-site-into-android-app Project | 1 Wp2android-turn-wp-site-into-android-app | 2024-08-05 | N/A |
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. | ||||
CVE-2017-1000119 | 1 Octobercms | 1 October | 2024-08-05 | N/A |
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. | ||||
CVE-2017-1000081 | 1 Onosproject | 1 Onos | 2024-08-05 | 9.8 Critical |
Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution. | ||||
CVE-2017-20063 | 1 Elefantcms | 1 Elefant Cms | 2024-08-05 | 6.3 Medium |
A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classified as critical. Affected is an unknown function of the file /filemanager/upload/drop of the component File Upload. The manipulation leads to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component. | ||||
CVE-2017-20021 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2024-08-05 | 6.5 Medium |
A vulnerability, which was classified as critical, was found in Solare Solar-Log 2.8.4-56/3.5.2-85. This affects an unknown part of the component File Upload. The manipulation leads to privilege escalation. It is possible to initiate the attack remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component. | ||||
CVE-2017-18592 | 1 Wc-marketplace | 1 Wc Catalog Enquiry | 2024-08-05 | N/A |
The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads. | ||||
CVE-2017-18435 | 1 Cpanel | 1 Cpanel | 2024-08-05 | N/A |
cPanel before 64.0.21 allows demo accounts to execute code via the BoxTrapper API (SEC-238). | ||||
CVE-2017-16941 | 1 Octobercms | 1 October | 2024-08-05 | N/A |
October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering. | ||||
CVE-2017-18048 | 1 Monstra | 1 Monstra | 2024-08-05 | N/A |
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not. | ||||
CVE-2017-17987 | 1 Muslim Matrimonial Script Project | 1 Muslim Matrimonial Script | 2024-08-05 | N/A |
PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file upload via admin/mydetails_edit.php. | ||||
CVE-2017-17976 | 1 Perfexcrm | 1 Perfex Crm | 2024-08-05 | N/A |
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution. | ||||
CVE-2017-17874 | 1 Vanguard Project | 1 Marketplace Digital Products Php | 2024-08-05 | N/A |
Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI. | ||||
CVE-2017-17593 | 1 Simple Chatting System Project | 1 Simple Chatting System | 2024-08-05 | N/A |
Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. | ||||
CVE-2017-16949 | 1 Accesspressthemes | 1 Anonymous Post Pro | 2024-08-05 | N/A |
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution. |