Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43117 | 1 Fastadmin | 1 Fastadmin | 2021-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access. | |||||
| CVE-2021-41870 | 1 Socomec | 2 Remote View Pro, Remote View Pro Firmware | 2021-12-17 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the firmware update form in Socomec REMOTE VIEW PRO 2.0.41.4. An authenticated attacker can bypass a client-side file-type check and upload arbitrary .php files. | |||||
| CVE-2021-41646 | 1 Online Reviewer System Project | 1 Online Reviewer System | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.. | |||||
| CVE-2021-40883 | 1 Emlog | 1 Emlog | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | |||||
| CVE-2021-27984 | 1 Pluck-cms | 1 Pluck | 2021-12-14 | 7.5 HIGH | 8.1 HIGH |
| In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. | |||||
| CVE-2021-36719 | 1 Cybonet | 1 Mail Secure | 2021-12-13 | 9.0 HIGH | 8.8 HIGH |
| PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code. | |||||
| CVE-2021-42133 | 1 Ivanti | 1 Avalanche | 2021-12-09 | 5.5 MEDIUM | 8.1 HIGH |
| An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write. | |||||
| CVE-2021-42125 | 1 Ivanti | 1 Avalanche | 2021-12-08 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files. | |||||
| CVE-2021-23562 | 1 Tiny | 1 Plupload | 2021-12-07 | 6.8 MEDIUM | 8.8 HIGH |
| This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. | |||||
| CVE-2021-42099 | 1 Zohocorp | 1 Manageengine M365 Manager Plus | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution. | |||||
| CVE-2020-29176 | 1 Zblogcn | 1 Z-blogphp | 2021-12-06 | 6.8 MEDIUM | 7.8 HIGH |
| An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file. | |||||
| CVE-2021-24155 | 1 Backup-guard | 1 Backup Guard | 2021-12-03 | 6.5 MEDIUM | 7.2 HIGH |
| The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. | |||||
| CVE-2021-24145 | 1 Webnus | 1 Modern Events Calendar Lite | 2021-12-03 | 6.5 MEDIUM | 7.2 HIGH |
| Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. | |||||
| CVE-2020-28328 | 1 Salesagility | 1 Suitecrm | 2021-12-02 | 9.0 HIGH | 8.8 HIGH |
| SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. | |||||
| CVE-2021-24311 | 1 External Media Project | 1 External Media | 2021-12-02 | 6.5 MEDIUM | 8.8 HIGH |
| The wp_ajax_upload-remote-file AJAX action of the External Media WordPress plugin before 1.0.34 was vulnerable to arbitrary file uploads via any authenticated users. | |||||
| CVE-2021-42840 | 1 Salesagility | 1 Suitecrm | 2021-11-30 | 9.0 HIGH | 8.8 HIGH |
| SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328. | |||||
| CVE-2021-42669 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-29 | 10.0 HIGH | 9.8 CRITICAL |
| A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id. | |||||
| CVE-2021-44094 | 1 Zrlog | 1 Zrlog | 2021-11-29 | 6.8 MEDIUM | 7.8 HIGH |
| ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file | |||||
| CVE-2021-44093 | 1 Zrlog | 1 Zrlog | 2021-11-29 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell | |||||
| CVE-2021-41675 | 1 E-negosyo System Project | 1 E-negosyo System | 2021-11-28 | 6.5 MEDIUM | 7.2 HIGH |
| A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the doInsert function, which validates images with getImageSizei. . | |||||