Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-9338 | 1 Iptanus | 1 Wordpress File Upload | 2019-08-29 | 5.0 MEDIUM | 7.5 HIGH |
| The wp-file-upload plugin before 2.5.0 for WordPress has insufficient restrictions on upload of .php files. | |||||
| CVE-2015-9341 | 1 Iptanus | 1 Wordpress File Upload | 2019-08-29 | 5.0 MEDIUM | 7.5 HIGH |
| The wp-file-upload plugin before 3.4.1 for WordPress has insufficient restrictions on upload of .php.js files. | |||||
| CVE-2019-15091 | 1 Artica | 1 Integria Ims | 2019-08-27 | 7.5 HIGH | 9.8 CRITICAL |
| filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload. | |||||
| CVE-2019-14755 | 1 Leaftecnologia | 1 Leaf Admin | 2019-08-20 | 6.5 MEDIUM | 8.8 HIGH |
| The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type. | |||||
| CVE-2019-5395 | 1 Hp | 2 3par Service Processor, 3par Service Processor Firmware | 2019-08-16 | 6.5 MEDIUM | 8.8 HIGH |
| A remote arbitrary file upload vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | |||||
| CVE-2019-14748 | 1 Osticket | 1 Osticket | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment. | |||||
| CVE-2018-20925 | 1 Cpanel | 1 Cpanel | 2019-08-12 | 4.6 MEDIUM | 6.7 MEDIUM |
| cPanel before 70.0.23 allows local privilege escalation via the WHM Legacy Language File Upload interface (SEC-379). | |||||
| CVE-2017-18435 | 1 Cpanel | 1 Cpanel | 2019-08-09 | 7.5 HIGH | 7.3 HIGH |
| cPanel before 64.0.21 allows demo accounts to execute code via the BoxTrapper API (SEC-238). | |||||
| CVE-2019-7912 | 1 Magento | 1 Magento | 2019-08-09 | 6.5 MEDIUM | 7.2 HIGH |
| A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files on the server. | |||||
| CVE-2019-7930 | 1 Magento | 1 Magento | 2019-08-07 | 9.0 HIGH | 7.2 HIGH |
| A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system. | |||||
| CVE-2019-7861 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-3960 | 1 Wallaceit | 1 Wallacepos | 2019-08-06 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file. | |||||
| CVE-2019-11223 | 1 Supportcandy | 1 Supportcandy | 2019-08-01 | 7.5 HIGH | 9.8 CRITICAL |
| An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension. | |||||
| CVE-2019-9189 | 1 Primasystems | 1 Flexair | 2019-07-31 | 9.0 HIGH | 8.8 HIGH |
| Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access. | |||||
| CVE-2019-10267 | 1 Ahsay | 1 Cloud Backup Suite | 2019-07-31 | 9.0 HIGH | 8.8 HIGH |
| An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator). | |||||
| CVE-2019-13980 | 1 Rangerstudio | 1 Directus 7 Api | 2019-07-22 | 6.8 MEDIUM | 8.8 HIGH |
| In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. | |||||
| CVE-2019-13979 | 1 Rangerstudio | 1 Directus 7 Api | 2019-07-22 | 6.8 MEDIUM | 8.8 HIGH |
| In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution. | |||||
| CVE-2019-13984 | 1 Rangerstudio | 1 Directus 7 Api | 2019-07-22 | 6.8 MEDIUM | 8.8 HIGH |
| Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File. | |||||
| CVE-2019-13973 | 1 Layerbb | 1 Layerbb | 2019-07-19 | 7.5 HIGH | 9.8 CRITICAL |
| LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the custom_logo filename suffix is not restricted, and .php may be used. | |||||
| CVE-2019-0327 | 1 Sap | 1 Netweaver Application Server Java | 2019-07-18 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. | |||||