Total
2498 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-32177 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-09-16 | 9.0 Critical |
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover. | ||||
CVE-2019-9572 | 1 Schoolcms | 1 Schoolcms | 2024-09-16 | N/A |
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of arbitrary PHP code in Public\Home\1_Static.php because of mishandling in the Application\Admin\Controller\ThemeController.class.php Upload() function. | ||||
CVE-2018-12491 | 1 Phpok | 1 Phpok | 2024-09-16 | N/A |
PHPOK 4.9.032 has an arbitrary file upload vulnerability in the import_f function in framework/admin/modulec_control.php, as demonstrated by uploading a .php file within a .php.zip archive, a similar issue to CVE-2018-8944. | ||||
CVE-2018-11736 | 1 Pluck-cms | 1 Pluck | 2024-09-16 | N/A |
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file. | ||||
CVE-2020-24407 | 1 Magento | 1 Magento | 2024-09-16 | 9.1 Critical |
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components. | ||||
CVE-2019-9613 | 1 Ofcms Project | 1 Ofcms | 2024-09-16 | N/A |
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI. | ||||
CVE-2019-8433 | 1 Jtbc | 1 Jtbc Php | 2024-09-16 | N/A |
JTBC(PHP) 3.0.1.8 allows Arbitrary File Upload via the console/#/console/file/manage.php?type=list URI, as demonstrated by a .php file. | ||||
CVE-2018-19424 | 1 Clippercms | 1 Clippercms | 2024-09-16 | N/A |
ClipperCMS 1.3.3 allows remote authenticated administrators to upload .htaccess files. | ||||
CVE-2017-1000194 | 1 Octobercms | 1 October | 2024-09-16 | N/A |
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server. | ||||
CVE-2022-22482 | 1 Ibm | 1 Sterling B2b Integrator | 2024-09-16 | 6.5 Medium |
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow an authenticated user to upload files that could fill up the filesystem and cause a denial of service. IBM X-Force ID: 225977. | ||||
CVE-2020-8974 | 1 Zigor | 2 Zgr Tps200 Ng, Zgr Tps200 Ng Firmware | 2024-09-16 | 10 Critical |
In ZGR TPS200 NG 2.00 firmware version and 1.01 hardware version, the firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable. | ||||
CVE-2021-29699 | 2 Docker, Ibm | 2 Docker, Security Verify Access | 2024-09-16 | 6.8 Medium |
IBM Security Verify Access Docker 10.0.0 could allow a remote priviled user to upload arbitrary files with a dangerous file type that could be excuted by an user. IBM X-Force ID: 200600. | ||||
CVE-2018-12468 | 1 Microfocus | 1 Groupwise | 2024-09-16 | N/A |
A vulnerability in the administration console of Micro Focus GroupWise prior to version 18.0.2 may allow a remote attacker authenticated as an administrator to upload files to an arbitrary path on the server. In certain circumstances this could result in remote code execution. | ||||
CVE-2021-42362 | 1 Wordpress Popular Posts Project | 1 Wordpress Popular Posts | 2024-09-16 | 8.8 High |
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2. | ||||
CVE-2017-6931 | 1 Drupal | 1 Drupal | 2024-09-16 | N/A |
In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. | ||||
CVE-2023-35018 | 1 Ibm | 1 Security Verify Governance | 2024-09-16 | 3.3 Low |
IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation. IBM X-Force ID: 259382. | ||||
CVE-2021-29092 | 1 Synology | 1 Photo Station | 2024-09-16 | 8.8 High |
Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors. | ||||
CVE-2021-34623 | 1 Properfraction | 1 Profilepress | 2024-09-16 | 9.8 Critical |
A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. . | ||||
CVE-2022-40200 | 1 Gvectors | 1 Wpforo Forum | 2024-09-16 | 9.9 Critical |
Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. | ||||
CVE-2021-44164 | 1 Chinasea | 1 Qb Smart Service Robot | 2024-09-16 | 9.8 Critical |
Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service. |