Total
2503 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41643 | 1 Church Management System Project | 1 Church Management System | 2024-08-04 | 9.8 Critical |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field. | ||||
| CVE-2021-41550 | 1 Leostream | 1 Connection Broker | 2024-08-04 | 7.2 High |
| Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code. | ||||
| CVE-2021-41560 | 1 Opencats | 1 Opencats | 2024-08-04 | 9.8 Critical |
| OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php. | ||||
| CVE-2021-41421 | 1 Maianmedia | 1 Maianaffiliate | 2024-08-04 | 4.8 Medium |
| A PHP code injection vulnerability in MaianAffiliate v.1.0 allows an authenticated attacker to gain RCE through the MaianAffiliate admin panel. | ||||
| CVE-2021-41231 | 1 Openmage | 1 Magento | 2024-08-04 | 7.2 High |
| OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue. | ||||
| CVE-2021-41178 | 1 Nextcloud | 1 Server | 2024-08-04 | 8.8 High |
| Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-40954 | 1 Laiketui | 1 Laiketui | 2024-08-04 | 9.8 Critical |
| Laiketui 3.5.0 is affected by an arbitrary file upload vulnerability that can allow an attacker to execute arbitrary code. | ||||
| CVE-2021-40940 | 1 Monstra | 1 Monstra | 2024-08-04 | 9.8 Critical |
| Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability. | ||||
| CVE-2021-40883 | 1 Emlog | 1 Emlog | 2024-08-04 | 9.8 Critical |
| A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | ||||
| CVE-2021-40845 | 1 Zenitel | 1 Alphacom Xe Audio Server | 2024-08-04 | 8.8 High |
| The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory. | ||||
| CVE-2021-40524 | 1 Pureftpd | 1 Pure-ftpd | 2024-08-04 | 7.5 High |
| In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.) | ||||
| CVE-2021-40531 | 2 Apple, Sketch | 2 Macos, Sketch | 2024-08-04 | 9.8 Critical |
| Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app. | ||||
| CVE-2021-40324 | 1 Cobbler Project | 1 Cobbler | 2024-08-04 | 7.5 High |
| Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | ||||
| CVE-2021-40344 | 1 Nagios | 1 Nagios Xi | 2024-08-04 | 7.2 High |
| An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution. | ||||
| CVE-2021-40188 | 1 Php-fusion | 1 Phpfusion | 2024-08-04 | 7.2 High |
| PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server. | ||||
| CVE-2021-40189 | 1 Php-fusion | 1 Phpfusion | 2024-08-04 | 7.2 High |
| PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary code. | ||||
| CVE-2021-40175 | 1 Zohocorp | 1 Manageengine Log360 | 2024-08-04 | 9.8 Critical |
| Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. | ||||
| CVE-2021-39608 | 1 Flatcore | 1 Flatcore-cms | 2024-08-04 | 7.2 High |
| Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code. | ||||
| CVE-2021-39384 | 1 Diaowen | 1 Dwsurvey | 2024-08-04 | 9.8 Critical |
| DWSurvey v3.2.0 was discovered to contain an arbitrary file write vulnerability via the component /utils/ToHtmlServlet.java. | ||||
| CVE-2021-39141 | 6 Debian, Fedoraproject, Netapp and 3 more | 21 Debian Linux, Fedora, Snapmanager and 18 more | 2024-08-04 | 8.5 High |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | ||||