Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40524 | 1 Pureftpd | 1 Pure-ftpd | 2021-11-26 | 5.0 MEDIUM | 7.5 HIGH |
| In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.) | |||||
| CVE-2021-43617 | 1 Laravel | 1 Framework | 2021-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload. | |||||
| CVE-2021-3915 | 1 Bookstackapp | 1 Bookstack | 2021-11-17 | 3.5 LOW | 5.7 MEDIUM |
| bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-39222 | 1 Nextcloud | 1 Talk | 2021-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy. | |||||
| CVE-2021-42839 | 1 Vice | 1 Webopac | 2021-11-16 | 9.0 HIGH | 8.8 HIGH |
| Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control the system or interrupt services. | |||||
| CVE-2021-41833 | 1 Zohocorp | 1 Manageengine Patch Connect Plus | 2021-11-15 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution. | |||||
| CVE-2020-23572 | 1 Beescms | 1 Beescms | 2021-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| BEESCMS v4.0 was discovered to contain an arbitrary file upload vulnerability via the component /admin/upload.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file. | |||||
| CVE-2021-34685 | 1 Hitachi | 1 Vantara Pentaho | 2021-11-09 | 6.5 MEDIUM | 7.2 HIGH |
| UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution). | |||||
| CVE-2021-31599 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server | 2021-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code. | |||||
| CVE-2021-28023 | 1 Servicetonic | 1 Servicetonic | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths. | |||||
| CVE-2021-36623 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2021-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary File Upload in Sourcecodester Phone Shop Sales Management System 1.0 enables RCE. | |||||
| CVE-2020-18261 | 1 Ed01-cms Project | 1 Ed01-cms | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands. | |||||
| CVE-2018-25019 | 1 Learndash | 1 Learndash | 2021-11-03 | 5.0 MEDIUM | 7.5 HIGH |
| The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server | |||||
| CVE-2021-3906 | 1 Bookstackapp | 1 Bookstack | 2021-11-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-38847 | 1 S-cart | 1 S-cart | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| S-Cart v6.4.1 and below was discovered to contain an arbitrary file upload vulnerability in the Editor module on the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted IMG file. | |||||
| CVE-2021-26740 | 1 Doyocms Project | 1 Doyocms | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability sysupload.php in millken doyocms 2.3 allows attackers to execute arbitrary code. | |||||
| CVE-2021-41643 | 1 Church Management System Project | 1 Church Management System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field. | |||||
| CVE-2021-41644 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters. | |||||
| CVE-2021-40344 | 1 Nagios | 1 Nagios Xi | 2021-11-02 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution. | |||||
| CVE-2021-36548 | 1 Monstra | 1 Monstra | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file. | |||||