Search
Total
736 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44094 | 1 Zrlog | 1 Zrlog | 2021-11-29 | 6.8 MEDIUM | 7.8 HIGH |
| ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file | |||||
| CVE-2021-41675 | 1 E-negosyo System Project | 1 E-negosyo System | 2021-11-28 | 6.5 MEDIUM | 7.2 HIGH |
| A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the doInsert function, which validates images with getImageSizei. . | |||||
| CVE-2021-40524 | 1 Pureftpd | 1 Pure-ftpd | 2021-11-26 | 5.0 MEDIUM | 7.5 HIGH |
| In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.) | |||||
| CVE-2021-42839 | 1 Vice | 1 Webopac | 2021-11-16 | 9.0 HIGH | 8.8 HIGH |
| Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control the system or interrupt services. | |||||
| CVE-2020-23572 | 1 Beescms | 1 Beescms | 2021-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| BEESCMS v4.0 was discovered to contain an arbitrary file upload vulnerability via the component /admin/upload.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file. | |||||
| CVE-2021-34685 | 1 Hitachi | 1 Vantara Pentaho | 2021-11-09 | 6.5 MEDIUM | 7.2 HIGH |
| UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution). | |||||
| CVE-2021-31599 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server | 2021-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code. | |||||
| CVE-2018-25019 | 1 Learndash | 1 Learndash | 2021-11-03 | 5.0 MEDIUM | 7.5 HIGH |
| The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server | |||||
| CVE-2021-38847 | 1 S-cart | 1 S-cart | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| S-Cart v6.4.1 and below was discovered to contain an arbitrary file upload vulnerability in the Editor module on the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted IMG file. | |||||
| CVE-2021-41645 | 1 Budget And Expense Tracker System Project | 1 Budget And Expense Tracker System | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. . | |||||
| CVE-2021-40344 | 1 Nagios | 1 Nagios Xi | 2021-11-02 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution. | |||||
| CVE-2020-11476 | 1 Concretecms | 1 Concrete Cms | 2021-11-01 | 9.0 HIGH | 7.2 HIGH |
| Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. | |||||
| CVE-2020-24986 | 1 Concretecms | 1 Concrete Cms | 2021-11-01 | 9.0 HIGH | 7.2 HIGH |
| Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands. | |||||
| CVE-2020-36485 | 1 Madeportable | 1 Playable | 2021-10-28 | 4.6 MEDIUM | 7.8 HIGH |
| Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file. | |||||
| CVE-2021-37372 | 1 Online Student Admission System Project | 1 Online Student Admission System | 2021-10-28 | 6.5 MEDIUM | 8.8 HIGH |
| Online Student Admission System 1.0 is affected by an insecure file upload vulnerability. A low privileged user can upload malicious PHP files by updating their profile image to gain remote code execution. | |||||
| CVE-2021-37221 | 1 Customer Relationship Management System Project | 1 Customer Relationship Management System | 2021-10-28 | 6.5 MEDIUM | 8.8 HIGH |
| A file upload vulnerability exists in Sourcecodester Customer Relationship Management System 1.0 via the account update option & customer create option, which could let a remote malicious user upload an arbitrary php file. . | |||||
| CVE-2020-23043 | 1 Air Sender Project | 1 Air Sender | 2021-10-27 | 6.5 MEDIUM | 8.8 HIGH |
| Tran Tu Air Sender v1.0.2 was discovered to contain an arbitrary file upload vulnerability in the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2021-38484 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 9.0 HIGH | 7.2 HIGH |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not have a filter or signature check to detect or prevent an upload of malicious files to the server, which may allow an attacker, acting as an administrator, to upload malicious files. This could result in cross-site scripting, deletion of system files, and remote code execution. | |||||
| CVE-2021-3846 | 1 Firefly-iii | 1 Firefly Iii | 2021-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-20130 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-19 | 6.5 MEDIUM | 8.8 HIGH |
| ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface. | |||||
| CVE-2021-20131 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-19 | 6.5 MEDIUM | 8.8 HIGH |
| ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface. | |||||
| CVE-2021-40189 | 1 Php-fusion | 1 Phpfusion | 2021-10-19 | 6.5 MEDIUM | 7.2 HIGH |
| PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary code. | |||||
| CVE-2021-40188 | 1 Php-fusion | 1 Phpfusion | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server. | |||||
| CVE-2017-12678 | 2 Debian, Taglib | 2 Debian Linux, Taglib | 2021-10-18 | 6.8 MEDIUM | 8.8 HIGH |
| In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file. | |||||
| CVE-2021-41919 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 6.5 MEDIUM | 8.8 HIGH |
| webTareas version 2.4 and earlier allows an authenticated user to arbitrarily upload potentially dangerous files without restrictions. This is working by adding or replacing a personal profile picture. The affected endpoint is /includes/upload.php on the HTTP POST data. This allows an attacker to exploit the platform by injecting code or malware and, under certain conditions, to execute code on remote user browsers. | |||||
| CVE-2021-20584 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 199397. | |||||
| CVE-2021-40324 | 1 Cobbler Project | 1 Cobbler | 2021-10-12 | 5.0 MEDIUM | 7.5 HIGH |
| Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | |||||
| CVE-2021-37105 | 1 Huawei | 1 Fusioncompute | 2021-10-06 | 4.3 MEDIUM | 7.5 HIGH |
| There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0. Due to the improper verification of file to be uploaded and does not strictly restrict the file access path, attackers may upload malicious files to the device, resulting in the service abnormal. | |||||
| CVE-2021-24663 | 1 Simple Schools Staff Directory Project | 1 Simple Schools Staff Directory | 2021-10-01 | 6.5 MEDIUM | 7.2 HIGH |
| The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE | |||||
| CVE-2020-21483 | 1 Jizhicms | 1 Jizhicms | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file. | |||||
| CVE-2021-33698 | 1 Sap | 1 Business One | 2021-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | |||||
| CVE-2021-40845 | 1 Zenitel | 1 Alphacom Xe Audio Server | 2021-09-27 | 6.5 MEDIUM | 8.8 HIGH |
| The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory. | |||||
| CVE-2021-24620 | 1 Simple-e-commerce-shopping-cart Project | 1 Simple-e-commerce-shopping-cart | 2021-09-27 | 6.8 MEDIUM | 8.8 HIGH |
| The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE | |||||
| CVE-2020-21481 | 1 Rgcms Project | 1 Rgcms | 2021-09-27 | 6.5 MEDIUM | 7.2 HIGH |
| An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file. | |||||
| CVE-2020-20672 | 1 Kitesky | 1 Kitecms | 2021-09-23 | 6.8 MEDIUM | 7.8 HIGH |
| An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file. | |||||
| CVE-2020-20670 | 1 Zkea | 1 Zkeacms | 2021-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file. | |||||
| CVE-2020-21564 | 1 Pluck-cms | 1 Pluck | 2021-09-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files. | |||||
| CVE-2020-8260 | 1 Pulsesecure | 1 Pulse Secure Desktop Client | 2021-09-21 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | |||||
| CVE-2021-34551 | 3 Fedoraproject, Microsoft, Phpmailer Project | 3 Fedora, Windows, Phpmailer | 2021-09-20 | 5.1 MEDIUM | 8.1 HIGH |
| PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. | |||||
| CVE-2021-39608 | 1 Flatcore | 1 Flatcore-cms | 2021-09-14 | 9.0 HIGH | 7.2 HIGH |
| Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code. | |||||
| CVE-2019-6839 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2021-09-14 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow a user with low privileges to upload a rogue file. | |||||
| CVE-2021-38841 | 1 Simple Water Refilling Station Management System Project | 1 Simple Water Refilling Station Management System | 2021-09-13 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution can occur in Simple Water Refilling Station Management System 1.0 via the System Logo option on the system_info page in classes/SystemSettings.php with an update_settings action. | |||||
| CVE-2021-36034 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2021-09-08 | 6.5 MEDIUM | 7.2 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution. | |||||
| CVE-2021-36041 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2021-09-08 | 6.5 MEDIUM | 7.2 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution. | |||||
| CVE-2021-36040 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2021-09-08 | 6.5 MEDIUM | 7.2 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution. | |||||
| CVE-2021-36042 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2021-09-08 | 6.5 MEDIUM | 7.2 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution. | |||||
| CVE-2021-29907 | 3 Ibm, Linux, Microsoft | 4 Openpages With Watson, Openpages Wtih Watson, Linux Kernel and 1 more | 2021-09-07 | 6.5 MEDIUM | 8.8 HIGH |
| IBM OpenPages with Watson 8.1 and 8.2 could allow an authenticated user to upload a file that could execute arbitrary code on the system. IBM X-Force ID: 207633. | |||||
| CVE-2020-27461 | 1 Seopanel | 1 Seopanel | 2021-08-30 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability in SEOPanel 4.6.0 has been fixed for 4.7.0. This vulnerability allowed for remote code execution through an authenticated file upload via the Settings Panel>Import website function. | |||||
| CVE-2021-38366 | 1 Sitecore | 1 Sitecore | 2021-08-25 | 6.8 MEDIUM | 8.8 HIGH |
| Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL. | |||||
| CVE-2020-18886 | 1 Phpmywind | 1 Phpmywind | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'. | |||||