Total
2499 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-15866 | 1 Crelly Slider Project | 1 Crelly Slider | 2024-08-05 | N/A |
| The crelly-slider plugin before 1.3.5 for WordPress has arbitrary file upload via a PHP file inside a ZIP archive to wp_ajax_crellyslider_importSlider. | ||||
| CVE-2019-15862 | 1 Cksource | 1 Ckfinder | 2024-08-05 | 7.5 High |
| An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP. | ||||
| CVE-2019-15813 | 1 Sentrifugo | 1 Sentrifugo | 2024-08-05 | 8.8 High |
| Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell. | ||||
| CVE-2019-15843 | 1 Mi | 1 Xiaomi Millet Firmware | 2024-08-05 | 7.4 High |
| A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or malicious file writing. | ||||
| CVE-2019-15766 | 1 Kslabs | 1 Ksweb | 2024-08-05 | 8.8 High |
| The KSLABS KSWEB (aka ru.kslabs.ksweb) application 3.93 for Android allows authenticated remote code execution via a POST request to the AJAX handler with the configFile parameter set to the arbitrary file to be written to (and the config_text parameter set to the content of the file to be created). This can be a PHP file that is written to in the public web directory and subsequently executed. The attacker must have network connectivity to the PHP server that is running on the Android device. | ||||
| CVE-2019-15649 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2024-08-05 | N/A |
| The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload. | ||||
| CVE-2019-15751 | 1 Sitos | 1 Sitos Six | 2024-08-05 | 9.8 Critical |
| An unrestricted file upload vulnerability in SITOS six Build v6.2.1 allows remote attackers to execute arbitrary code by uploading a SCORM file with an executable extension. This allows an unauthenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to the web root of the application. | ||||
| CVE-2019-15748 | 1 Sitos | 1 Sitos Six | 2024-08-05 | 9.8 Critical |
| SITOS six Build v6.2.1 permits unauthorised users to upload and import a SCORM 2004 package by browsing directly to affected pages. An unauthenticated attacker could use the upload and import functionality to import a malicious SCORM package that includes a PHP file, which could execute arbitrary PHP code. | ||||
| CVE-2019-15524 | 1 Cszcms | 1 Csz Cms | 2024-08-05 | N/A |
| CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI. | ||||
| CVE-2019-15123 | 1 Vikisolutions | 1 Vera | 2024-08-05 | 7.2 High |
| The Branding Module in Viki Vera 4.9.1.26180 allows an authenticated user to change the logo on the website. An attacker could use this to upload a malicious .aspx file and gain Remote Code Execution on the site. | ||||
| CVE-2019-15131 | 1 Code42 | 1 Code42 | 2024-08-05 | 9.8 Critical |
| In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 a vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed. This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution. | ||||
| CVE-2019-15091 | 1 Artica | 1 Integria Ims | 2024-08-05 | N/A |
| filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload. | ||||
| CVE-2019-14916 | 1 Prise | 1 Adas | 2024-08-05 | 6.5 Medium |
| An issue was discovered in PRiSE adAS 1.7.0. A file's format is not properly checked, leading to an unrestricted file upload. | ||||
| CVE-2019-14748 | 1 Osticket | 1 Osticket | 2024-08-05 | N/A |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment. | ||||
| CVE-2019-14755 | 1 Leaftecnologia | 1 Leaf Admin | 2024-08-05 | N/A |
| The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type. | ||||
| CVE-2019-14657 | 1 Yeahlink | 6 T49g, T49g Firmware, T58v and 3 more | 2024-08-05 | 8.8 High |
| Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root. | ||||
| CVE-2019-14656 | 1 Yeahlink | 6 T49g, T49g Firmware, T58v and 3 more | 2024-08-05 | 8.8 High |
| Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP. | ||||
| CVE-2019-14467 | 1 Infoway | 1 Social Photo Gallery | 2024-08-05 | 7.8 High |
| The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not checked. | ||||
| CVE-2019-14451 | 1 Repetier-server | 1 Repetier-server | 2024-08-05 | 9.8 Critical |
| RepetierServer.exe in Repetier-Server 0.8 through 0.91 does not properly validate the XML data structure provided when uploading a new printer configuration. When this is combined with CVE-2019-14450, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart. | ||||
| CVE-2019-14252 | 1 Publisure | 1 Publisure | 2024-08-05 | 7.2 High |
| An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from the adminCons.php view (i.e., the rogue PHP file can be hidden). | ||||