Total
2497 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-4470 | 1 Ibm | 1 Spectrum Protect Plus | 2024-09-16 | 8.0 High |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. IBM X-Force ID: 181725. | ||||
| CVE-2021-21014 | 1 Magento | 1 Magento | 2024-09-16 | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. | ||||
| CVE-2021-41290 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2024-09-16 | 9.8 Critical |
| ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device. | ||||
| CVE-2021-35244 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2024-09-16 | 6.8 Medium |
| The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution. | ||||
| CVE-2023-51409 | 2024-09-16 | 10 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98. | ||||
| CVE-2022-42698 | 1 Api2cart | 1 Api2cart Bridge Connector | 2024-09-16 | 9.8 Critical |
| Unauth. Arbitrary File Upload vulnerability in WordPress Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress. | ||||
| CVE-2022-39036 | 1 Flowring | 1 Agentflow | 2024-09-16 | 9.8 Critical |
| The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service. | ||||
| CVE-2021-29891 | 1 Ibm | 8 Hardware Management Console 7063-cr2, Hardware Management Console 7063-cr2 Firmware, Power System Ac922 \(8335-gtg\) and 5 more | 2024-09-16 | 4.9 Medium |
| IBM OPENBMC OP910 and OP940 could allow a privileged user to upload an improper site identity certificate that may cause it to lose network services. IBM X-Force ID: 207221. | ||||
| CVE-2022-2102 | 1 Secheron | 2 Sepcos Control And Protection Relay, Sepcos Control And Protection Relay Firmware | 2024-09-16 | 9.4 Critical |
| Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed. | ||||
| CVE-2017-2699 | 1 Huawei | 6 Honor 7, Honor 7 Firmware, Lyo-l21 and 3 more | 2024-09-16 | N/A |
| The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versions earlier than CRR-L09C432B380, versions earlier than LYO-L21C577B128 has a privilege elevation vulnerability. An attacker could exploit this vulnerability to upload theme packs containing malicious files and trick users into installing the theme packets, resulting in the execution of arbitrary code. | ||||
| CVE-2020-4620 | 1 Ibm | 1 Data Risk Manager | 2024-09-16 | 8.8 High |
| IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 184979. | ||||
| CVE-2018-18752 | 1 Webiness Project | 1 Webiness Inventory | 2024-09-16 | N/A |
| Webiness Inventory 2.3 suffers from an Arbitrary File upload vulnerability via PHP code in the protected/library/ajax/WsSaveToModel.php logo parameter. | ||||
| CVE-2018-10469 | 1 B3log | 1 Symphony | 2024-09-16 | N/A |
| b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI. | ||||
| CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
| DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | ||||
| CVE-2021-38471 | 1 Auvesy | 1 Versiondog | 2024-09-16 | 9.1 Critical |
| There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files. | ||||
| CVE-2019-1861 | 1 Cisco | 1 Industrial Network Director | 2024-09-16 | 7.2 High |
| A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. | ||||
| CVE-2019-8933 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
| In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php. | ||||
| CVE-2018-8944 | 1 Phpok | 1 Phpok | 2024-09-16 | N/A |
| PHPOK 4.8.338 has an arbitrary file upload vulnerability. | ||||
| CVE-2018-11331 | 1 Pluck-cms | 1 Pluck | 2024-09-16 | N/A |
| An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess. | ||||
| CVE-2022-32177 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-09-16 | 9.0 Critical |
| In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover. | ||||