Search
Total
528 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21344 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2022-23329 | 1 Ujcms | 1 Jspxcms | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in ${"freemarker.template.utility.Execute"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files. | |||||
| CVE-2021-26473 | 1 Vembu | 2 Bdr Suite, Offsite Dr | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server. | |||||
| CVE-2021-46386 | 1 Mingsoft | 1 Mcms | 2022-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: File Upload. The impact is: execute arbitrary code (remote). The component is: net.mingsoft.basic.action.web.FileAction#upload. The attack vector is: jspx webshell. ¶¶ MCMS has a file upload vulnerability through which attacker can upload a webshell. Successful attacks of this vulnerability can result in takeover of MCMS | |||||
| CVE-2021-46428 | 1 Simple Chatbot Application Project | 1 Simple Chatbot Application | 2022-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 ( and previous versions via the bot_avatar parameter in SystemSettings.php. | |||||
| CVE-2021-46033 | 1 Forestblog Project | 1 Forestblog | 2022-01-28 | 7.5 HIGH | 9.8 CRITICAL |
| In ForestBlog, as of 2021-12-28, File upload can bypass verification. | |||||
| CVE-2022-23315 | 1 Mingsoft | 1 Mcms | 2022-01-26 | 7.5 HIGH | 9.8 CRITICAL |
| MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do. | |||||
| CVE-2022-22929 | 1 Mingsoft | 1 Mcms | 2022-01-26 | 7.5 HIGH | 9.8 CRITICAL |
| MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file. | |||||
| CVE-2021-46013 | 1 Free School Management Software Project | 1 Free School Management Software | 2022-01-24 | 7.5 HIGH | 9.8 CRITICAL |
| An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. An attacker can leverage this vulnerability to enable remote code execution on the affected web server. Once a php webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is saved into /uploads/exam_question/ directory, and is accessible by all users. | |||||
| CVE-2021-45411 | 1 Printable Staff Id Card Creator System Project | 1 Printable Staff Id Card Creator System | 2022-01-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution. | |||||
| CVE-2020-29597 | 1 Incomcms Project | 1 Incomcms | 2022-01-06 | 7.5 HIGH | 9.8 CRITICAL |
| IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server. | |||||
| CVE-2021-44159 | 1 4mosan | 1 Gcb Doctor | 2022-01-03 | 10.0 HIGH | 9.8 CRITICAL |
| 4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or deny of service attack. | |||||
| CVE-2020-24186 | 1 Gvectors | 1 Wpdiscuz | 2022-01-01 | 7.5 HIGH | 10.0 CRITICAL |
| A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action. | |||||
| CVE-2020-25213 | 1 Webdesi9 | 1 File Manager | 2022-01-01 | 7.5 HIGH | 9.8 CRITICAL |
| The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. | |||||
| CVE-2021-44031 | 1 Quest | 1 Kace Desktop Authority | 2021-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx contains a vulnerability that could allow pre-authentication remote code execution. An attacker could upload a .ASP file to reside at /images/{GUID}/{filename}. | |||||
| CVE-2021-44164 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service. | |||||
| CVE-2021-41560 | 1 Opencats | 1 Opencats | 2021-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php. | |||||
| CVE-2021-43117 | 1 Fastadmin | 1 Fastadmin | 2021-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access. | |||||
| CVE-2021-41646 | 1 Online Reviewer System Project | 1 Online Reviewer System | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.. | |||||
| CVE-2021-40883 | 1 Emlog | 1 Emlog | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | |||||
| CVE-2019-9581 | 1 Twinkletoessoftware | 1 Booked | 2021-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension. | |||||
| CVE-2021-43936 | 1 Webhmi | 2 Webhmi, Webhmi Firmware | 2021-12-13 | 10.0 HIGH | 9.8 CRITICAL |
| The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution. | |||||
| CVE-2021-42099 | 1 Zohocorp | 1 Manageengine M365 Manager Plus | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution. | |||||
| CVE-2021-42669 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-29 | 10.0 HIGH | 9.8 CRITICAL |
| A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id. | |||||
| CVE-2021-44093 | 1 Zrlog | 1 Zrlog | 2021-11-29 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell | |||||
| CVE-2021-43617 | 1 Laravel | 1 Framework | 2021-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload. | |||||
| CVE-2021-41833 | 1 Zohocorp | 1 Manageengine Patch Connect Plus | 2021-11-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution. | |||||
| CVE-2021-28023 | 1 Servicetonic | 1 Servicetonic | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths. | |||||
| CVE-2021-36623 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2021-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary File Upload in Sourcecodester Phone Shop Sales Management System 1.0 enables RCE. | |||||
| CVE-2020-18261 | 1 Ed01-cms Project | 1 Ed01-cms | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands. | |||||
| CVE-2021-26740 | 1 Doyocms Project | 1 Doyocms | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability sysupload.php in millken doyocms 2.3 allows attackers to execute arbitrary code. | |||||
| CVE-2021-41643 | 1 Church Management System Project | 1 Church Management System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field. | |||||
| CVE-2021-41644 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters. | |||||
| CVE-2021-36548 | 1 Monstra | 1 Monstra | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file. | |||||
| CVE-2021-36547 | 1 Mara Cms Project | 1 Mara Cms | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in the component /codebase/dir.php?type=filenew of Mara v7.5 allows attackers to execute arbitrary commands via a crafted PHP file. | |||||
| CVE-2021-38471 | 1 Auvesy | 1 Versiondog | 2021-10-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files. | |||||
| CVE-2021-41745 | 1 Showdoc | 1 Showdoc | 2021-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions. | |||||
| CVE-2021-42342 | 1 Embedthis | 1 Goahead | 2021-10-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts. | |||||
| CVE-2021-20125 | 1 Draytek | 1 Vigorconnect | 2021-10-19 | 10.0 HIGH | 9.8 CRITICAL |
| An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. An unauthenticated attacker could leverage this vulnerability to upload files to any location on the target operating system with root privileges. | |||||
| CVE-2021-41566 | 1 Tadtools Project | 1 Tadtools | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| The file extension of the TadTools file upload function fails to filter, thus remote attackers can upload any types of files and execute arbitrary code without logging in. | |||||
| CVE-2021-37919 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37918 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37762 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution. | |||||
| CVE-2021-37926 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37921 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37920 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37923 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37924 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37930 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||
| CVE-2021-37929 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||||