Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3705 | 2024-07-05 | N/A | 8.8 HIGH | ||
| Unrestricted file upload vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint '/opengnsys/images/M_Icons.php' modifying the file extension, due to lack of file extension verification, resulting in a webshell injection. | |||||
| CVE-2022-31362 | 1 Docebo | 1 Docebo | 2024-07-03 | 6.5 MEDIUM | 8.8 HIGH |
| Docebo Community Edition v4.0.5 and below was discovered to contain an arbitrary file upload vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2024-3508 | 2024-07-03 | N/A | 4.3 MEDIUM | ||
| A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed. | |||||
| CVE-2024-35510 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.114 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2024-35080 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| An arbitrary file upload vulnerability in the gok4 method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file. | |||||
| CVE-2024-34909 | 1 Kykms | 1 Kykms | 2024-07-03 | N/A | 5.4 MEDIUM |
| An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. | |||||
| CVE-2024-33836 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| In the module "JA Marketplace" (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php. In version 6.X, the method `JmarketplaceproductModuleFrontController::init()` and in version 8.X, the method `JmarketplaceSellerproductModuleFrontController::init()` allow upload of .php files, which will lead to a critical vulnerability. | |||||
| CVE-2024-33752 | 2024-07-03 | N/A | 6.3 MEDIUM | ||
| An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code. | |||||
| CVE-2024-33120 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| Roothub v2.5 was discovered to contain an arbitrary file upload vulnerability via the customPath parameter in the upload() function. This vulnerability allows attackers to execute arbitrary code via a crafted JSP file. | |||||
| CVE-2024-32161 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| jizhiCMS 2.5 suffers from a File upload vulnerability. | |||||
| CVE-2024-31615 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php. | |||||
| CVE-2024-31012 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file. | |||||
| CVE-2024-29848 | 2024-07-03 | N/A | 7.2 HIGH | ||
| An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM. | |||||
| CVE-2024-28269 | 2024-07-03 | N/A | 7.2 HIGH | ||
| ReCrystallize Server 5.10.0.0 allows administrators to upload files to the server. The file upload is not restricted, leading to the ability to upload of malicious files. This could result in a Remote Code Execution. | |||||
| CVE-2024-23534 | 2024-07-03 | N/A | 8.8 HIGH | ||
| An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||||
| CVE-2024-22263 | 2024-07-03 | N/A | 8.8 HIGH | ||
| Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server. | |||||
| CVE-2023-46694 | 2024-07-03 | N/A | 8.1 HIGH | ||
| Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, potentially enabling them to execute remote commands. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the Ckeditor file manager functionality. | |||||
| CVE-2021-26918 | 1 Probot | 1 Bot | 2024-07-03 | 7.5 HIGH | 9.8 CRITICAL |
| The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side. | |||||
| CVE-2022-29622 | 1 Formidable Project | 1 Formidable | 2024-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability. | |||||
| CVE-2024-6439 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-07-02 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270167. | |||||