Total
2510 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-29622 | 1 Formidable Project | 1 Formidable | 2024-08-03 | 9.8 Critical |
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability. | ||||
CVE-2022-29351 | 1 Tiddlywiki | 1 Tiddlywiki5 | 2024-08-03 | 9.8 Critical |
An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here. | ||||
CVE-2022-31161 | 1 Roxy-wi | 1 Roxy-wi | 2024-08-03 | 10 Critical |
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue. | ||||
CVE-2022-31134 | 1 Zulip | 1 Zulip Server | 2024-08-03 | 4.9 Medium |
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue. | ||||
CVE-2022-31086 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2024-08-03 | 8.8 High |
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue. | ||||
CVE-2022-31041 | 1 Maykinmedia | 1 Open Forms | 2024-08-03 | 7.6 High |
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application. | ||||
CVE-2022-30860 | 1 Fudforum | 1 Fudforum | 2024-08-03 | 7.2 High |
FUDforum 3.1.2 is vulnerable to Remote Code Execution through Upload File feature of File Administration System in Admin Control Panel. | ||||
CVE-2022-30820 | 1 Wedding Management System Project | 1 Wedding Management System | 2024-08-03 | 8.8 High |
In Wedding Management v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "users_edit.php" file. | ||||
CVE-2022-30819 | 1 Wedding Management System Project | 1 Wedding Management System | 2024-08-03 | 8.8 High |
In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "photos_edit.php" file. | ||||
CVE-2022-30822 | 1 Wedding Management System Project | 1 Wedding Management System | 2024-08-03 | 8.8 High |
In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "users_profile.php" file. | ||||
CVE-2022-30821 | 1 Wedding Management System Project | 1 Wedding Management System | 2024-08-03 | 8.8 High |
In Wedding Management System v1.0, the editing function of the "Services" module in the background management system has an arbitrary file upload vulnerability in the picture upload point of "package_edit.php" file. | ||||
CVE-2022-30887 | 1 Pharmacy Management System Project | 1 Pharmacy Management System | 2024-08-03 | 9.8 Critical |
Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file. | ||||
CVE-2022-30808 | 1 Elitecms | 1 Elite Cms | 2024-08-03 | 9.8 Critical |
elitecms 1.0.1 is vulnerable to Arbitrary code execution via admin/manage_uploads.php. | ||||
CVE-2022-30506 | 1 Mingsoft | 1 Mcms | 2024-08-03 | 9.8 Critical |
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file. | ||||
CVE-2022-30529 | 1 Isic.lk Project | 1 Isic.lk | 2024-08-03 | 7.2 High |
File upload vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to upload arbitrary files via /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php. | ||||
CVE-2022-30423 | 1 Merchandise Online Store Project | 1 Merchandise Online Store | 2024-08-03 | 9.8 Critical |
Merchandise Online Store v1.0 by oretnom23 has an arbitrary code execution (RCE) vulnerability in the user profile upload point in the system information. | ||||
CVE-2022-30448 | 1 Hospital Management System Project | 1 Hospital Management System | 2024-08-03 | 9.8 Critical |
Hospital Management System in PHP with Source Code (HMS) 1.0 was discovered to contain a File upload vulnerability in treatmentrecord.php. | ||||
CVE-2022-30007 | 1 Gxcms Project | 1 Gxcms | 2024-08-03 | 7.2 High |
GXCMS V1.5 has a file upload vulnerability in the background. The vulnerability is the template management page. You can edit any template content and then rename to PHP suffix file, after calling PHP file can control the server. | ||||
CVE-2022-29725 | 1 Creatiwity | 1 Witycms | 2024-08-03 | 8.8 High |
An arbitrary file upload in the image upload component of wityCMS v0.6.2 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
CVE-2022-29655 | 1 Wedding Management System Project | 1 Wedding Management System | 2024-08-03 | 7.2 High |
An arbitrary file upload vulnerability in the Upload Photos module of Wedding Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. |