Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3267 | 1 Kitesky | 1 Kitecms | 2023-04-10 | N/A | 7.2 HIGH |
| File Upload vulnerability found in KiteCMS v.1.1 allows a remote attacker to execute arbitrary code via the uploadFile function. | |||||
| CVE-2021-31707 | 1 Kitesky | 1 Kitecms | 2023-04-10 | N/A | 9.8 CRITICAL |
| Permissions vulnerability found in KiteCMS allows a remote attacker to execute arbitrary code via the upload file type. | |||||
| CVE-2023-26262 | 1 Sitecore | 2 Experience Manager, Experience Platform | 2023-04-10 | N/A | 7.2 HIGH |
| An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server. | |||||
| CVE-2023-26830 | 1 Gladinet | 1 Centrestack | 2023-04-07 | N/A | 7.2 HIGH |
| An unrestricted file upload vulnerability in the administrative portal branding component of Gladinet CentreStack before 13.5.9808 allows authenticated attackers to execute arbitrary code by uploading malicious files to the server. | |||||
| CVE-2023-28833 | 1 Nextcloud | 1 Nextcloud Server | 2023-04-07 | N/A | 8.8 HIGH |
| Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited by tricking an admin into uploading a maliciously named file. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should avoid ingesting logo files from untrusted sources. | |||||
| CVE-2022-47190 | 1 Generex | 2 Cs141, Cs141 Firmware | 2023-04-06 | N/A | 9.8 CRITICAL |
| Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a webshell that could allow him to execute arbitrary code as root. | |||||
| CVE-2022-47191 | 1 Generex | 2 Cs141, Cs141 Firmware | 2023-04-06 | N/A | 8.8 HIGH |
| Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a file with modified permissions, allowing him to escalate privileges. | |||||
| CVE-2023-26968 | 1 Atrocore | 1 Atrocore | 2023-04-05 | N/A | 9.8 CRITICAL |
| In Atrocore 1.5.25, the Create Import Feed option with glyphicon-glyphicon-paperclip function is vulnerable to Unauthenticated File upload. | |||||
| CVE-2023-27246 | 1 Mk-auth | 1 Mk-auth | 2023-04-04 | N/A | 8.8 HIGH |
| An arbitrary file upload vulnerability in the Virtual Disk of MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted .htaccess file. | |||||
| CVE-2022-48194 | 1 Tp-link | 2 Tl-wr902ac, Tl-wr902ac Firmware | 2023-04-03 | N/A | 8.8 HIGH |
| TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate. | |||||
| CVE-2022-31161 | 1 Roxy-wi | 1 Roxy-wi | 2023-04-03 | N/A | 9.8 CRITICAL |
| Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue. | |||||
| CVE-2023-27164 | 1 Halo | 1 Halo | 2023-03-31 | N/A | 4.8 MEDIUM |
| An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file. | |||||
| CVE-2023-25909 | 1 Hgiga | 1 Oaklouds Portal | 2023-03-31 | N/A | 9.8 CRITICAL |
| HGiga OAKlouds file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary command or disrupt service. | |||||
| CVE-2020-19786 | 1 Cszcms | 1 Csz Cms | 2023-03-30 | N/A | 8.8 HIGH |
| File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file. | |||||
| CVE-2022-3552 | 1 Boxbilling | 1 Boxbilling | 2023-03-28 | N/A | 7.2 HIGH |
| Unrestricted Upload of File with Dangerous Type in GitHub repository boxbilling/boxbilling prior to 0.0.1. | |||||
| CVE-2023-25655 | 1 Basercms | 1 Basercms | 2023-03-28 | N/A | 9.8 CRITICAL |
| baserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the management system of baserCMS. Version 4.7.5 contains a patch. | |||||
| CVE-2023-25654 | 1 Basercms | 1 Basercms | 2023-03-28 | N/A | 9.8 CRITICAL |
| baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch. | |||||
| CVE-2023-28725 | 1 Generalbytes | 1 Crypto Application Server | 2023-03-27 | N/A | 9.1 CRITICAL |
| General Bytes Crypto Application Server (CAS) 20230120, as distributed with General Bytes BATM devices, allows remote attackers to execute arbitrary Java code by uploading a Java application to the /batm/app/admin/standalone/deployments directory, aka BATM-4780, as exploited in the wild in March 2023. This is fixed in 20221118.48 and 20230120.44. | |||||
| CVE-2022-26521 | 1 Abantecart | 1 Abantecart | 2023-03-27 | 6.5 MEDIUM | 7.2 HIGH |
| Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type). | |||||
| CVE-2022-26149 | 1 Modx | 1 Revolution | 2023-03-27 | 6.5 MEDIUM | 7.2 HIGH |
| MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator. | |||||