Total
2503 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-9380 | 1 Whmcssmarters | 1 Web Tv Player | 2024-08-04 | 9.8 Critical |
| IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script. | ||||
| CVE-2020-9309 | 1 Silverstripe | 2 Mimevalidator, Recipe | 2024-08-04 | 8.8 High |
| Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected. | ||||
| CVE-2020-9280 | 1 Silverstripe | 1 Silverstripe | 2024-08-04 | 7.5 High |
| In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x. | ||||
| CVE-2020-8500 | 1 Artica | 1 Pandora Fms | 2024-08-04 | 7.2 High |
| In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality | ||||
| CVE-2020-8866 | 2 Debian, Horde | 3 Debian Linux, Groupware, Horde Form | 2024-08-04 | 6.5 Medium |
| This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125. | ||||
| CVE-2020-8639 | 1 Testlink | 1 Testlink | 2024-08-04 | 8.8 High |
| An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application. | ||||
| CVE-2020-8511 | 1 Artica | 1 Pandora Fms | 2024-08-04 | 7.2 High |
| In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. | ||||
| CVE-2020-8440 | 1 Simplejobscript | 1 Simplejobscript | 2024-08-04 | 9.8 Critical |
| controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume. | ||||
| CVE-2020-8260 | 1 Pulsesecure | 1 Pulse Secure Desktop Client | 2024-08-04 | 7.2 High |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | ||||
| CVE-2020-8181 | 1 Nextcloud | 1 Contacts | 2024-08-04 | 4.3 Medium |
| A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | ||||
| CVE-2020-8162 | 3 Debian, Redhat, Rubyonrails | 4 Debian Linux, Satellite, Satellite Capsule and 1 more | 2024-08-04 | 7.5 High |
| A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | ||||
| CVE-2020-7998 | 1 Super File Explorer Project | 1 Super File Explorer | 2024-08-04 | 8.8 High |
| An arbitrary file upload vulnerability has been discovered in the Super File Explorer app 1.0.1 for iOS. The vulnerability is located in the developer path that is accessible and hidden next to the root path. By default, there is no password set for the FTP or Web UI service. | ||||
| CVE-2020-7935 | 1 Artica | 1 Pandora Fms | 2024-08-04 | 7.2 High |
| Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access. | ||||
| CVE-2020-7847 | 1 Iptime | 18 Nas-i, Nas-i Firmware, Nas-ii and 15 more | 2024-08-04 | 7.4 High |
| The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36. | ||||
| CVE-2020-7569 | 1 Schneider-electric | 1 Webreports | 2024-08-04 | 8.8 High |
| A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution. | ||||
| CVE-2020-7302 | 1 Mcafee | 1 Data Loss Prevention | 2024-08-04 | 5.4 Medium |
| Unrestricted Upload of File with Dangerous Type in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to upload malicious files to the DLP case management section via lack of sanity checking. | ||||
| CVE-2020-7246 | 1 Qdpm | 1 Qdpm | 2024-08-04 | 8.8 High |
| A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884. | ||||
| CVE-2020-7055 | 1 Elementor | 1 Elementor Page Builder | 2024-08-04 | 9.9 Critical |
| An issue was discovered in Elementor 2.7.4. Arbitrary file upload is possible in the Elementor Import Templates function, allowing an attacker to execute code via a crafted ZIP archive. | ||||
| CVE-2020-6965 | 1 Gehealthcare | 18 Apexpro Telemetry Server, Apexpro Telemetry Server Firmware, Carescape B450 Monitor and 15 more | 2024-08-04 | 9.9 Critical |
| In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package. | ||||
| CVE-2020-6975 | 1 Digi | 3 Connectport Lts 32 Mei, Connectport Lts 32 Mei Bios, Connectport Lts 32 Mei Firmware | 2024-08-04 | 4.9 Medium |
| Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application. | ||||