Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9209 | 1 Fineuploader | 1 Php-traditional-server | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2 | |||||
| CVE-2018-0686 | 1 Neo | 2 Debun Imap, Debun Pop | 2018-12-17 | 6.5 MEDIUM | 8.8 HIGH |
| Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote authenticated attackers to upload and execute any executable files via unspecified vectors. | |||||
| CVE-2018-0645 | 1 Bit-part | 1 Mtappjquery | 2018-12-13 | 7.5 HIGH | 9.8 CRITICAL |
| MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors. | |||||
| CVE-2018-17055 | 1 Progress | 1 Sitefinity | 2018-12-12 | 5.0 MEDIUM | 7.5 HIGH |
| An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. | |||||
| CVE-2018-19126 | 1 Prestashop | 1 Prestashop | 2018-12-12 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. | |||||
| CVE-2018-11392 | 1 Jigowatt | 1 Php Login \& User Management | 2018-12-11 | 6.5 MEDIUM | 8.8 HIGH |
| An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field. This results in arbitrary code execution by requesting the .php file. | |||||
| CVE-2018-18771 | 1 Lulucms | 1 Lulu Cms | 2018-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LuLu CMS through 2015-05-14. backend\modules\filemanager\controllers\DefaultController.php allows arbitrary file upload by entering a filename, directory name, and PHP code into the three text input fields. | |||||
| CVE-2018-18830 | 1 Mingsoft | 1 Mcms | 2018-12-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the suffix to jsp. In the response, the server returns the storage path of the file, which can be accessed to execute arbitrary JSP code. | |||||
| CVE-2018-18934 | 1 Popojicms | 1 Popojicms | 2018-12-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF. | |||||
| CVE-2018-18874 | 1 Nconsulting | 1 Nc-cms | 2018-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| nc-cms through 2017-03-10 allows remote attackers to execute arbitrary PHP code via the "Upload File or Image" feature, with a .php filename and "Content-Type: application/octet-stream" to the index.php?action=file_manager_upload URI. | |||||
| CVE-2018-9208 | 1 Tuyoshi | 1 Jquery Picture Cut | 2018-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta | |||||
| CVE-2018-18752 | 1 Webiness Project | 1 Webiness Inventory | 2018-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| Webiness Inventory 2.3 suffers from an Arbitrary File upload vulnerability via PHP code in the protected/library/ajax/WsSaveToModel.php logo parameter. | |||||
| CVE-2018-17139 | 1 Ultimatefosters | 1 Ultimatepos | 2018-11-29 | 6.5 MEDIUM | 8.8 HIGH |
| UltimatePOS 2.5 allows users to upload arbitrary files, which leads to remote command execution by posting to a /products URI with PHP code in a .php file with the image/jpeg content type. | |||||
| CVE-2018-16821 | 1 Seacms | 1 Seacms | 2018-11-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_template.php?path=../templets/../../ requests. | |||||
| CVE-2018-16796 | 1 Hiscout | 1 Grc Suite | 2018-11-25 | 9.0 HIGH | 8.8 HIGH |
| HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Files with Dangerous Types. | |||||
| CVE-2018-18086 | 1 Phome | 1 Empirecms | 2018-11-25 | 6.5 MEDIUM | 8.8 HIGH |
| EmpireCMS v7.5 has an arbitrary file upload vulnerability in the LoadInMod function in e/class/moddofun.php, exploitable by logged-in users. | |||||
| CVE-2015-9271 | 1 Videowhisper | 1 Video Conference | 2018-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code, a different vulnerability than CVE-2014-1905. | |||||
| CVE-2018-17573 | 1 Smartlogix | 1 Wp-insert | 2018-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| The Wp-Insert plugin through 2.4.2 for WordPress allows upload of arbitrary PHP code because of the exposure and configuration of FCKeditor under fckeditor/editor/filemanager/browser/default/browser.html, fckeditor/editor/filemanager/connectors/test.html, and fckeditor/editor/filemanager/connectors/uploadtest.html. | |||||
| CVE-2018-17553 | 1 Naviwebs | 1 Navigate Cms | 2018-11-19 | 6.5 MEDIUM | 8.8 HIGH |
| An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php. | |||||
| CVE-2018-16974 | 1 Elefantcms | 1 Elefant | 2018-11-19 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in apps/filemanager/upload/drop.php by using /filemanager/api/rm/.htaccess to remove the .htaccess file, and then using a filename that ends in .php followed by space characters (for bypassing the blacklist). | |||||