Total
2503 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-12828 | 1 Pango | 1 Virtual Private Network Software Development Kit | 2024-08-04 | 9.8 Critical |
| An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges. | ||||
| CVE-2020-12837 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-08-04 | 7.5 High |
| ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used. | ||||
| CVE-2020-12846 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-08-04 | 8.0 High |
| Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution. | ||||
| CVE-2020-12800 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2024-08-04 | 9.8 Critical |
| The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. | ||||
| CVE-2020-12675 | 1 Mappresspro | 1 Mappress | 2024-08-04 | 8.8 High |
| The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPress does not correctly implement capability checks for AJAX functions related to creation/retrieval/deletion of PHP template files, leading to Remote Code Execution. NOTE: this issue exists because of an incomplete fix for CVE-2020-12077. | ||||
| CVE-2020-12715 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2024-08-04 | 8.8 High |
| RainbowFish PacsOne Server 6.8.4 has Incorrect Access Control. | ||||
| CVE-2020-12252 | 1 Gigamon | 1 Gigavue | 2024-08-04 | 6.2 Medium |
| An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an arbitrary file upload for an authenticated user. If an executable file is uploaded into the www-root directory, then it could yield remote code execution via the filename parameter. | ||||
| CVE-2020-12255 | 1 Rconfig | 1 Rconfig | 2024-08-04 | 8.8 High |
| rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. vendor.crud.php accepts a file upload by checking content-type without considering the file extension and header. Thus, an attacker can exploit this by uploading a .php file to vendor.php that contains arbitrary PHP code and changing the content-type to image/gif. | ||||
| CVE-2020-12077 | 1 Mappresspro | 1 Mappress | 2024-08-04 | 8.8 High |
| The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution. | ||||
| CVE-2020-12005 | 1 Rockwellautomation | 2 Factorytalk Linx, Rslinx Classic | 2024-08-04 | 7.5 High |
| FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition. | ||||
| CVE-2020-11943 | 1 Opmantek | 1 Open-audit | 2024-08-04 | 8.8 High |
| An issue was discovered in Open-AudIT 3.2.2. There is Arbitrary file upload. | ||||
| CVE-2020-11807 | 1 Sourcefabric | 1 Newscoop | 2024-08-04 | 7.8 High |
| Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by making an avatar update and then visiting the avatar file under the /images/ path. | ||||
| CVE-2020-11811 | 1 Qdpm | 1 Qdpm | 2024-08-04 | 9.8 Critical |
| In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbitrary command on the server using this malicious file. | ||||
| CVE-2020-11817 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | ||||
| CVE-2020-11815 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | ||||
| CVE-2020-11722 | 1 Dungeon Crawl Stone Soup Project | 1 Dungeon Crawl Stone Soup | 2024-08-04 | 9.8 Critical |
| Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file. | ||||
| CVE-2020-11598 | 1 Cipplanner | 1 Cipace | 2024-08-04 | 9.8 Critical |
| An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file. | ||||
| CVE-2020-11544 | 1 Projectworlds | 1 Official Car Rental System | 2024-08-04 | 7.2 High |
| An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via add_cars.php. There are no upload restrictions for executable files. | ||||
| CVE-2020-11486 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2024-08-04 | 9.8 Critical |
| NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution. | ||||
| CVE-2020-11451 | 1 Microstrategy | 1 Microstrategy Web | 2024-08-04 | 7.2 High |
| The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges. | ||||