Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22968 | 1 Concretecms | 1 Concrete Cms | 2023-06-30 | 6.5 MEDIUM | 7.2 HIGH |
| A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0 | |||||
| CVE-2023-32753 | 1 Itpison | 1 Omicard Edm | 2023-06-30 | N/A | 9.8 CRITICAL |
| OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service. | |||||
| CVE-2023-1721 | 1 Yoga Class Registration System Project | 1 Yoga Class Registration System | 2023-06-30 | N/A | 7.2 HIGH |
| Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. | |||||
| CVE-2023-36097 | 1 Funadmin | 1 Funadmin | 2023-06-28 | N/A | 9.8 CRITICAL |
| funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install. | |||||
| CVE-2020-20718 | 1 Pluck-cms | 1 Pluckcms | 2023-06-28 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter. | |||||
| CVE-2020-20067 | 1 Ebcms | 1 Ebcms | 2023-06-27 | N/A | 8.8 HIGH |
| File upload vulnerability in ebCMS v.1.1.0 allows a remote attacker to execute arbitrary code via the upload type parameter. | |||||
| CVE-2020-21325 | 1 Wuzhicms | 1 Wuzhicms | 2023-06-27 | N/A | 8.8 HIGH |
| An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file. | |||||
| CVE-2020-21474 | 1 Nucleuscms | 1 Nucleuscms | 2023-06-27 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in NucleusCMS v.3.71 allows a remote attacker to execute arbitrary code via the /nucleus/plugins/skinfiles/?dir=rsd parameter. | |||||
| CVE-2020-21489 | 1 Feehi | 1 Feehicms | 2023-06-27 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component. | |||||
| CVE-2020-20735 | 1 8cms | 1 Ljcms | 2023-06-27 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in LJCMS v.4.3.R60321 allows a remote attacker to execute arbitrary code via the ljcms/index.php parameter. | |||||
| CVE-2020-20919 | 1 Pluck-cms | 1 Pluck | 2023-06-27 | N/A | 7.2 HIGH |
| File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file. | |||||
| CVE-2020-20969 | 1 Pluck-cms | 1 Pluck | 2023-06-27 | N/A | 7.2 HIGH |
| File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file. | |||||
| CVE-2020-21174 | 1 Feehi | 1 Feehicms | 2023-06-27 | N/A | 9.8 CRITICAL |
| File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function. | |||||
| CVE-2022-39301 | 1 Sra-admin Project | 1 Sra-admin | 2023-06-27 | N/A | 5.4 MEDIUM |
| sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" - "Profile Picture Upload" allowing theft of the user's personal information. This issue has been patched in 1.1.2. There are no known workarounds. | |||||
| CVE-2022-0959 | 1 Postgresql | 1 Pgadmin 4 | 2023-06-27 | 3.5 LOW | 6.5 MEDIUM |
| A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. | |||||
| CVE-2022-1811 | 1 Publify Project | 1 Publify | 2023-06-27 | 3.5 LOW | 5.4 MEDIUM |
| Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9. | |||||
| CVE-2021-26634 | 2 Linux, Maxb | 2 Linux Kernel, Maxboard | 2023-06-26 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code execution or privilege escalation. Attackers can use these vulnerabilities to perform attacks such as stealing server management rights using a web shell. | |||||
| CVE-2022-45802 | 1 Apache | 1 Streampark | 2023-06-26 | N/A | 9.8 CRITICAL |
| Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later | |||||
| CVE-2023-34660 | 1 Jeecg | 1 Jeecg Boot | 2023-06-23 | N/A | 6.5 MEDIUM |
| jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface. | |||||
| CVE-2023-31541 | 1 Ckeditor | 1 Ckeditor | 2023-06-22 | N/A | 9.8 CRITICAL |
| A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server. | |||||