Total
2499 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36701 | 1 King-theme | 1 Page Builder King Composer | 2024-08-04 | 8.8 High |
| The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file. This makes it possible for authenticated users with author level permissions and above to upload arbitrary files onto the server which can be used to execute code on the server. | ||||
| CVE-2020-36485 | 1 Madeportable | 1 Playable | 2024-08-04 | 7.8 High |
| Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file. | ||||
| CVE-2020-36388 | 1 Civicrm | 1 Civicrm | 2024-08-04 | 8.8 High |
| In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive. | ||||
| CVE-2020-36167 | 1 Veritas | 1 Backup Exec | 2024-08-04 | 9.3 Critical |
| An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf. A low privileged user can create a :\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain. | ||||
| CVE-2020-36141 | 1 Bloofox | 1 Bloofoxcms | 2024-08-04 | 8.8 High |
| BloofoxCMS 0.5.2.1 allows Unrestricted File Upload vulnerability via bypass MIME Type validation by inserting 'image/jpeg' within the 'Content-Type' header. | ||||
| CVE-2020-36082 | 1 Bloofox | 1 Bloofoxcms | 2024-08-04 | 9.8 Critical |
| File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module. | ||||
| CVE-2020-35945 | 1 Elegant Themes | 3 Divi, Divi Builder, Divi Extra | 2024-08-04 | 9.9 Critical |
| An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side. | ||||
| CVE-2020-35949 | 1 Expresstech | 1 Quiz And Survey Master | 2024-08-04 | 10 Critical |
| An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file. | ||||
| CVE-2020-35760 | 1 Bloofox | 1 Bloofoxcms | 2024-08-04 | 9.8 Critical |
| bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files). | ||||
| CVE-2020-35797 | 1 Netgear | 2 Nms300, Nms300 Firmware | 2024-08-04 | 9.8 Critical |
| NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker. | ||||
| CVE-2020-35656 | 1 Jaws Project | 1 Jaws | 2024-08-04 | 7.2 High |
| Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product. | ||||
| CVE-2020-35627 | 1 Woocommerce | 1 Gift Cards | 2024-08-04 | 8.8 High |
| Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server. | ||||
| CVE-2020-35657 | 1 Jaws Project | 1 Jaws | 2024-08-04 | 7.2 High |
| Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product. | ||||
| CVE-2020-35442 | 1 Fangfa | 1 Fdcms | 2024-08-04 | 9.8 Critical |
| FDCMS (also known as Fangfa Content Management System) 4.0 allows remote attackers to get a webshell in the background via Front/lib/Action/FindexAction.class.php. | ||||
| CVE-2020-35489 | 1 Rocklobster | 1 Contact Form 7 | 2024-08-04 | 10.0 Critical |
| The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | ||||
| CVE-2020-35133 | 1 Irfanview | 1 Irfanview | 2024-08-04 | 7.5 High |
| irfanView 4.56 contains an error processing parsing files of type .pcx. Which leads to out-of-bounds writing at i_view32+0xdb60. | ||||
| CVE-2020-29607 | 1 Pluck-cms | 1 Pluck | 2024-08-04 | 7.2 High |
| A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution. | ||||
| CVE-2020-29592 | 1 Orchardproject | 1 Orchard | 2024-08-04 | 9.8 Critical |
| An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor's file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings). | ||||
| CVE-2020-29597 | 1 Incomcms Project | 1 Incomcms | 2024-08-04 | 9.8 Critical |
| IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server. | ||||
| CVE-2020-29441 | 1 Outsystems | 1 Outsystems | 2024-08-04 | 7.2 High |
| An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronously, or deny access to legitimate uploaded files. | ||||