Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10959 | 1 Bd | 10 Alaris Cc Syringe Pump, Alaris Cc Syringe Pump Firmware, Alaris Gateway Workstation and 7 more | 2019-10-09 | 7.5 HIGH | 10.0 CRITICAL |
| BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, 1.3.1 Build 13, This does not impact the latest firmware Versions 1.3.2 and 1.6.1, Additionally, the following products using software Version 2.3.6 and below, Alaris GS, Alaris GH, Alaris CC, Alaris TIVA, The application does not restrict the upload of malicious files during a firmware update. | |||||
| CVE-2019-1010209 | 1 Gorul | 1 Gourl | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| GoUrl.io GoURL Wordpress Plugin 1.4.13 and earlier is affected by: CWE-434. The impact is: unauthenticated/unzuthorized Attacker can upload executable file in website. The component is: gourl.php#L5637. The fixed version is: 1.4.14. | |||||
| CVE-2019-1010123 | 1 Modx | 1 Modx Revolution | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php. | |||||
| CVE-2019-1010062 | 1 Pluck-cms | 1 Pluckcms | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8. | |||||
| CVE-2019-0017 | 1 Juniper | 1 Junos Space | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| The Junos Space application, which allows Device Image files to be uploaded, has insufficient validity checking which may allow uploading of malicious images or scripts, or other content types. Affected releases are Juniper Networks Junos Space versions prior to 18.3R1. | |||||
| CVE-2018-7505 | 1 Advantech | 4 Webaccess, Webaccess\/nms, Webaccess Dashboard and 1 more | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code. | |||||
| CVE-2018-2420 | 1 Sap | 1 Internet Graphics Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to upload any file (including script files) without proper file format validation. | |||||
| CVE-2018-2404 | 1 Sap | 1 Disclosure Management | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation. | |||||
| CVE-2018-1969 | 1 Ibm | 1 Security Identity Manager | 2019-10-09 | 6.5 MEDIUM | 9.9 CRITICAL |
| IBM Security Identity Manager 6.0.0 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 153750. | |||||
| CVE-2018-1552 | 1 Ibm | 1 Robotic Process Automation With Automation Anywhere | 2019-10-09 | 9.3 HIGH | 8.8 HIGH |
| IBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 allows a remote attacker to execute arbitrary code on the system, caused by a missing restriction in which file types can be uploaded to the control room. By uploading a malicious file and tricking a victim to run it, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 142889. | |||||
| CVE-2018-1453 | 1 Ibm | 1 Security Identity Manager | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Security Identity Manager Virtual Appliance 7.0 allows an authenticated attacker to upload or transfer files of dangerous types that can be automatically processed within the environment. IBM X-Force ID: 140055. | |||||
| CVE-2018-17936 | 1 Nuuo | 1 Nuuo Cms | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution. | |||||
| CVE-2018-0258 | 1 Cisco | 2 Prime Data Center Network Manager, Prime Infrastructure | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute those files. This vulnerability affects the following products: Cisco Prime Data Center Network Manager (DCNM) Version 10.0 and later, and Cisco Prime Infrastructure (PI) All versions. Cisco Bug IDs: CSCvf32411, CSCvf81727. | |||||
| CVE-2017-6041 | 1 Marel | 44 A320, A320 Firmware, A325 and 41 more | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. This vulnerability allows an attacker to modify the operation and upload firmware changes without detection. | |||||
| CVE-2017-6027 | 1 Codesys | 1 Web Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| An Arbitrary File Upload issue was discovered in 3S-Smart Software Solutions GmbH CODESYS Web Server. The following versions of CODESYS Web Server, part of the CODESYS WebVisu web browser visualization software, are affected: CODESYS Web Server Versions 2.3 and prior. A specially crafted web server request may allow the upload of arbitrary files (with a dangerous type) to the CODESYS Web Server without authorization which may allow remote code execution. | |||||
| CVE-2017-3189 | 1 Dotcms | 1 Dotcms | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
| The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files which the bundle contains. This vulnerability combined with the path traversal vulnerability (CVE-2017-3188) can lead to remote command execution with the permissions of the user running the dotCMS application. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application. | |||||
| CVE-2017-2617 | 1 Hawt.io | 1 Hawtio | 2019-10-09 | 6.8 MEDIUM | 7.8 HIGH |
| hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed. | |||||
| CVE-2017-16772 | 1 Synology | 1 Photo Station | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. | |||||
| CVE-2017-16736 | 1 Advantech | 1 Webaccess | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| An Unrestricted Upload Of File With Dangerous Type issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows a remote attacker to upload arbitrary files. | |||||
| CVE-2017-16594 | 1 Netgain-systems | 1 Enterprise Manager | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows remote attackers to create arbitrary files on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp.db.save_005fimage_jsp servlet, which listens on TCP port 8081 by default. When parsing the id parameter, the process does not properly validate user-supplied data, which can allow for the upload of files. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5117. | |||||