Total
2503 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43829 | 1 Patrowl | 1 Patrowlmanager | 2024-08-04 | 7.4 High |
| PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangerous type of file to server leading to XSS attacks and potentially other forms of code injection. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds for this issue. | ||||
| CVE-2021-43617 | 1 Laravel | 1 Framework | 2024-08-04 | 9.8 Critical |
| Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload. | ||||
| CVE-2021-43421 | 1 Std42 | 1 Elfinder | 2024-08-04 | 9.8 Critical |
| A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. | ||||
| CVE-2021-43430 | 1 Bigantsoft | 1 Bigant Office Messenger 5 | 2024-08-04 | 8.8 High |
| An Access Control vulnerability exists in BigAntSoft BigAnt office messenger 5.6 via im_webserver, which could let a malicious user upload PHP Trojan files. | ||||
| CVE-2021-43258 | 1 Churchdb | 1 Churchinfo | 2024-08-04 | 8.8 High |
| CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server. | ||||
| CVE-2021-43103 | 1 Diyhi | 1 Bbs | 2024-08-04 | 7.2 High |
| A File Upload vulnerability exists in bbs 5.3 is via ForumManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | ||||
| CVE-2021-43098 | 1 Diyhi | 1 Bbs | 2024-08-04 | 7.2 High |
| A File Upload vulnerability exists in bbs v5.3 via QuestionManageAction.java in a getType function. | ||||
| CVE-2021-43100 | 1 Diyhi | 1 Bbs | 2024-08-04 | 7.2 High |
| A File Upload vulnerability exists in bbs 5.3 is via TopicManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | ||||
| CVE-2021-43117 | 1 Fastadmin | 1 Fastadmin | 2024-08-04 | 9.8 Critical |
| fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access. | ||||
| CVE-2021-43102 | 1 Diyhi | 1 Bbs | 2024-08-04 | 7.2 High |
| A File Upload vulnerability exists in bbs 5.3 is via HelpManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | ||||
| CVE-2021-43101 | 1 Diyhi | 1 Bbs | 2024-08-04 | 7.2 High |
| A File Upload vulnerability exists in bbs 5.3 is via MembershipCardManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | ||||
| CVE-2021-42967 | 1 Xxyopen | 1 Novel-plus | 2024-08-04 | 9.8 Critical |
| Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker to upload malicious JSP files. | ||||
| CVE-2021-42840 | 1 Salesagility | 1 Suitecrm | 2024-08-04 | 8.8 High |
| SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328. | ||||
| CVE-2021-42675 | 1 Kreado | 1 Kreasfero | 2024-08-04 | 9.8 Critical |
| Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution. | ||||
| CVE-2021-42645 | 1 Cmsimple-xh | 1 Cmsimple Xh | 2024-08-04 | 10.0 Critical |
| CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable host. | ||||
| CVE-2021-42654 | 1 Sscms | 1 Siteserver Cms | 2024-08-04 | 9.8 Critical |
| SiteServer CMS < V5.1 is affected by an unrestricted upload of a file with dangerous type (getshell), which could be used to execute arbitrary code. | ||||
| CVE-2021-42669 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-08-04 | 9.8 Critical |
| A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id. | ||||
| CVE-2021-42342 | 1 Embedthis | 1 Goahead | 2024-08-04 | 9.8 Critical |
| An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts. | ||||
| CVE-2021-42171 | 1 Tribalsystems | 1 Zenario | 2024-08-04 | 7.2 High |
| Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth. | ||||
| CVE-2021-42123 | 1 Businessdnasolutions | 1 Topease | 2024-08-04 | 7.3 High |
| Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 in the File Upload Functions allows an authenticated remote attacker with Upload privileges to upload files with any file type, enabling client-side attacks. | ||||