Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0403 | 1 Wpjos | 1 Library File Manager | 2022-04-11 | 5.5 MEDIUM | 8.1 HIGH |
| The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders. | |||||
| CVE-2022-27249 | 1 Idearespa | 1 Reftree | 2022-04-09 | 9.0 HIGH | 8.8 HIGH |
| An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource. | |||||
| CVE-2021-32961 | 1 Auvesy-mdt | 2 Autosave, Autosave For System Platform | 2022-04-09 | 5.0 MEDIUM | 7.5 HIGH |
| A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner. This can result in the execution of an unzip command and place a malicious .exe file in one of the locations the function looks for and get execution capabilities. | |||||
| CVE-2022-23155 | 1 Dell | 1 Wyse Management Suite | 2022-04-09 | 9.0 HIGH | 7.2 HIGH |
| Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system. | |||||
| CVE-2021-34257 | 1 Wpanel Cms Project | 1 Wpanel Cms | 2022-04-08 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image. | |||||
| CVE-2022-24136 | 1 Hospital Management System Project | 1 Hospital Management System | 2022-04-08 | 7.5 HIGH | 9.8 CRITICAL |
| Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. To exploit, an attacker can upload any PHP file, and then execute it. | |||||
| CVE-2022-26645 | 1 Banking System Project | 1 Banking System | 2022-04-05 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function. | |||||
| CVE-2021-45865 | 1 Student Attendance Management System Project | 1 Student Attendance Management System | 2022-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality. | |||||
| CVE-2022-0499 | 1 Sermon Browser Project | 1 Sermon Browser | 2022-04-04 | 6.8 MEDIUM | 8.8 HIGH |
| The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. | |||||
| CVE-2021-43100 | 1 Diyhi | 1 Bbs | 2022-04-04 | 6.5 MEDIUM | 7.2 HIGH |
| A File Upload vulnerability exists in bbs 5.3 is via TopicManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | |||||
| CVE-2021-27428 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2022-04-01 | 7.5 HIGH | 9.8 CRITICAL |
| GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. | |||||
| CVE-2021-43101 | 1 Diyhi | 1 Bbs | 2022-04-01 | 6.5 MEDIUM | 7.2 HIGH |
| A File Upload vulnerability exists in bbs 5.3 is via MembershipCardManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | |||||
| CVE-2021-43103 | 1 Diyhi | 1 Bbs | 2022-04-01 | 6.5 MEDIUM | 7.2 HIGH |
| A File Upload vulnerability exists in bbs 5.3 is via ForumManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | |||||
| CVE-2021-43102 | 1 Diyhi | 1 Bbs | 2022-04-01 | 6.5 MEDIUM | 7.2 HIGH |
| A File Upload vulnerability exists in bbs 5.3 is via HelpManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | |||||
| CVE-2021-43098 | 1 Diyhi | 1 Bbs | 2022-03-31 | 6.5 MEDIUM | 7.2 HIGH |
| A File Upload vulnerability exists in bbs v5.3 via QuestionManageAction.java in a getType function. | |||||
| CVE-2022-22952 | 2 Microsoft, Vmware | 2 Windows, Carbon Black App Control | 2022-03-31 | 9.0 HIGH | 9.1 CRITICAL |
| VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file. | |||||
| CVE-2019-9581 | 1 Twinkletoessoftware | 1 Booked | 2022-03-31 | 6.5 MEDIUM | 8.8 HIGH |
| phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension. | |||||
| CVE-2022-25487 | 1 Thedigitalcraft | 1 Atomcms | 2022-03-31 | 7.5 HIGH | 9.8 CRITICAL |
| Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php. | |||||
| CVE-2022-0687 | 1 Tms-outsource | 1 Amelia | 2022-03-30 | 6.5 MEDIUM | 8.8 HIGH |
| The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role. | |||||
| CVE-2019-20897 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2022-03-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1. | |||||