Total
2288 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36141 | 1 Bloofox | 1 Bloofoxcms | 2024-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| BloofoxCMS 0.5.2.1 allows Unrestricted File Upload vulnerability via bypass MIME Type validation by inserting 'image/jpeg' within the 'Content-Type' header. | |||||
| CVE-2021-38697 | 1 Softvibe | 1 Saraban | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted File Upload, that allows attackers to upload files with any file extension which can lead to arbitrary code execution. | |||||
| CVE-2020-20287 | 1 Yccms | 1 Yccms | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution. | |||||
| CVE-2024-22515 | 1 Ispyconnect | 1 Agent Dvr | 2024-02-13 | N/A | 8.8 HIGH |
| Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component. | |||||
| CVE-2024-24000 | 1 Huaxiaerp | 1 Jsherp | 2024-02-13 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths. | |||||
| CVE-2024-0699 | 1 Meowapps | 1 Ai Engine | 2024-02-13 | N/A | 7.2 HIGH |
| The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-23811 | 2024-02-13 | N/A | 8.8 HIGH | ||
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution. | |||||
| CVE-2023-6635 | 1 Extendify | 1 Editorskit | 2024-02-12 | N/A | 7.2 HIGH |
| The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-25674 | 1 Misp | 1 Misp | 2024-02-12 | N/A | 9.8 CRITICAL |
| An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | |||||
| CVE-2024-24024 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download. | |||||
| CVE-2024-24025 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | |||||
| CVE-2024-24026 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | |||||
| CVE-2021-4436 | 1 Wp3dprinting | 1 3dprint Lite | 2024-02-10 | N/A | 9.8 CRITICAL |
| The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache. | |||||
| CVE-2023-6846 | 1 Filemanagerpro | 1 File Manager Pro | 2024-02-09 | N/A | 8.8 HIGH |
| The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the server. Version 8.3.5 introduces a capability check that prevents users lower than admin from executing this function. | |||||
| CVE-2024-1069 | 1 Crmperks | 1 Database For Contact Form 7\, Wpforms\, Elementor Forms | 2024-02-06 | N/A | 7.2 HIGH |
| The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-31505 | 1 Schlix | 1 Cms | 2024-02-06 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file. | |||||
| CVE-2023-6675 | 1 Nationalkeep | 1 Cybermath | 2024-02-06 | N/A | 9.8 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in National Keep Cyber Security Services CyberMath allows Upload a Web Shell to a Web Server.This issue affects CyberMath: from v.1.4 before v.1.5. | |||||
| CVE-2021-41645 | 1 Oretnom23 | 1 Budget And Expense Tracker System | 2024-02-03 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. . | |||||
| CVE-2024-22550 | 1 Shopsite | 1 Shopsite | 2024-02-02 | N/A | 6.1 MEDIUM |
| An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. | |||||
| CVE-2005-0254 | 1 Guillaumegardey | 1 Biborb | 2024-02-02 | 4.3 MEDIUM | N/A |
| BibORB 1.3.2, and possibly earlier versions, does not properly enforce a restriction for uploading only PDF and PS files, which allows remote attackers to upload arbitrary files that are presented to other users with PDF or PS icons, which may trick some users into downloading and executing those files. | |||||