Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24663 | 1 Simple Schools Staff Directory Project | 1 Simple Schools Staff Directory | 2021-10-01 | 6.5 MEDIUM | 7.2 HIGH |
| The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE | |||||
| CVE-2021-37761 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution. | |||||
| CVE-2021-37539 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution. | |||||
| CVE-2021-26794 | 1 Frogcms Project | 1 Frogcms | 2021-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| Privilege escalation in 'upload.php' in FrogCMS SentCMS v0.9.5 allows attacker to execute arbitrary code via crafted php file. | |||||
| CVE-2021-29699 | 2 Docker, Ibm | 2 Docker, Security Verify Access | 2021-09-29 | 6.0 MEDIUM | 6.8 MEDIUM |
| IBM Security Verify Access Docker 10.0.0 could allow a remote priviled user to upload arbitrary files with a dangerous file type that could be excuted by an user. IBM X-Force ID: 200600. | |||||
| CVE-2020-21483 | 1 Jizhicms | 1 Jizhicms | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file. | |||||
| CVE-2020-21322 | 1 Feehi | 1 Feehicms | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2021-36582 | 1 Kooboo | 1 Kooboo Cms | 2021-09-28 | 10.0 HIGH | 9.8 CRITICAL |
| In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx) to the server and then call upon it to receive a reverse shell from the victim server. The files are uploaded to /Content/Template/root/reverse-shell.aspx and can be simply triggered by browsing that URL. | |||||
| CVE-2021-33698 | 1 Sap | 1 Business One | 2021-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | |||||
| CVE-2021-40845 | 1 Zenitel | 1 Alphacom Xe Audio Server | 2021-09-27 | 6.5 MEDIUM | 8.8 HIGH |
| The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory. | |||||
| CVE-2020-21481 | 1 Rgcms Project | 1 Rgcms | 2021-09-27 | 6.5 MEDIUM | 7.2 HIGH |
| An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file. | |||||
| CVE-2021-36581 | 1 Kooboo | 1 Kooboo Cms | 2021-09-24 | 7.5 HIGH | 9.8 CRITICAL |
| Kooboo CMS 2.1.1.0 is vulnerable to Insecure file upload. It is possible to upload any file extension to the server. The server does not verify the extension of the file and the tester was able to upload an aspx to the server. | |||||
| CVE-2020-20672 | 1 Kitesky | 1 Kitecms | 2021-09-23 | 6.8 MEDIUM | 7.8 HIGH |
| An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file. | |||||
| CVE-2020-20670 | 1 Zkea | 1 Zkeacms | 2021-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file. | |||||
| CVE-2021-24493 | 1 Ingenesis | 1 Shopp | 2021-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| The shopp_upload_file AJAX action of the Shopp WordPress plugin through 1.4, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE | |||||
| CVE-2021-24490 | 1 Email Artillery Project | 1 Email Artillery | 2021-09-23 | 6.0 MEDIUM | 6.8 MEDIUM |
| The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS | |||||
| CVE-2020-19267 | 1 Dswjcms Project | 1 Dswjcms | 2021-09-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue in index.php/Dswjcms/Basis/resources of Dswjcms 1.6.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2020-21564 | 1 Pluck-cms | 1 Pluck | 2021-09-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files. | |||||
| CVE-2020-8260 | 1 Pulsesecure | 1 Pulse Secure Desktop Client | 2021-09-21 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | |||||
| CVE-2021-24376 | 1 Autoptimize | 1 Autoptimize | 2021-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution. | |||||