Vulnerabilities (CVE)

Filtered by CWE-434
Total 2367 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-25406 1 Lemocms 1 Lemocms 2020-12-03 7.5 HIGH 7.3 HIGH
app\admin\controller\sys\Uploads.php in lemocms 1.8.x allows users to upload files to upload executable files.
CVE-2020-28687 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql Project 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql 2020-12-02 9.0 HIGH 8.8 HIGH
The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.
CVE-2020-28688 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql Project 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql 2020-12-02 9.0 HIGH 8.8 HIGH
The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.
CVE-2020-13774 1 Ivanti 1 Endpoint Manager 2020-12-02 9.0 HIGH 9.9 CRITICAL
An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.
CVE-2020-28693 1 Horizontcms Project 1 Horizontcms 2020-11-30 9.0 HIGH 8.8 HIGH
An unrestricted file upload issue in HorizontCMS 1.0.0-beta allows an authenticated remote attacker to upload PHP code through a zip file by uploading a theme, and executing the PHP file via an HTTP GET request to /themes/<php_file_name>
CVE-2020-28692 1 Gilacms 1 Gila Cms 2020-11-30 6.5 MEDIUM 7.2 HIGH
In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
CVE-2020-28130 1 Online Library Management System Project 1 Online Library Management System 2020-11-23 10.0 HIGH 9.8 CRITICAL
An Arbitrary File Upload in the Upload Image component in SourceCodester Online Library Management System 1.0 allows the user to conduct remote code execution via admin/borrower/index.php?view=add because .php files can be uploaded to admin/borrower/photos (under the web root).
CVE-2020-28140 1 Online Clothing Store Project 1 Online Clothing Store 2020-11-23 7.5 HIGH 9.8 CRITICAL
SourceCodester Online Clothing Store 1.0 is affected by an arbitrary file upload via the image upload feature of Products.php.
CVE-2020-26553 1 Aviatrix 1 Controller 2020-11-23 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.
CVE-2020-23138 1 Microweber 1 Microweber 2020-11-20 7.5 HIGH 9.8 CRITICAL
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.
CVE-2020-26804 1 Sapplica 1 Sentrifugo 2020-11-17 6.5 MEDIUM 8.8 HIGH
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
CVE-2020-26803 1 Sapplica 1 Sentrifugo 2020-11-17 6.5 MEDIUM 8.8 HIGH
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
CVE-2020-24407 1 Magento 1 Magento 2020-11-12 9.0 HIGH 9.1 CRITICAL
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
CVE-2020-11486 2 Intel, Nvidia 2 Bmc Firmware, Dgx-1 2020-11-05 7.5 HIGH 9.8 CRITICAL
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution.
CVE-2020-15277 1 Basercms 1 Basercms 2020-11-03 6.5 MEDIUM 7.2 HIGH
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
CVE-2020-27956 1 Car Rental Management System Project 1 Car Rental Management System 2020-11-03 7.5 HIGH 9.8 CRITICAL
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2015-9228 1 Imagely 1 Nextgen Gallery 2020-10-29 9.0 HIGH 8.8 HIGH
In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress, unrestricted file upload is available via the name parameter, if a file extension is changed from .jpg to .php.
CVE-2020-26583 1 Sagedpw 1 Sage Dpw 2020-10-29 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It allows unauthenticated users to upload JavaScript (in a file) via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include arbitrary HTML or JavaScript code into the affected web page. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.
CVE-2019-1861 1 Cisco 1 Industrial Network Director 2020-10-16 9.0 HIGH 7.2 HIGH
A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.
CVE-2020-15488 1 Re-desk 1 Re\ 2020-10-15 5.0 MEDIUM 7.5 HIGH
Re:Desk 2.3 allows insecure file upload.