Total
2367 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-25406 | 1 Lemocms | 1 Lemocms | 2020-12-03 | 7.5 HIGH | 7.3 HIGH |
app\admin\controller\sys\Uploads.php in lemocms 1.8.x allows users to upload files to upload executable files. | |||||
CVE-2020-28687 | 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql Project | 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql | 2020-12-02 | 9.0 HIGH | 8.8 HIGH |
The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files. | |||||
CVE-2020-28688 | 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql Project | 1 Artworks Gallery In Php\, Css\, Javascript\, And Mysql | 2020-12-02 | 9.0 HIGH | 8.8 HIGH |
The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files. | |||||
CVE-2020-13774 | 1 Ivanti | 1 Endpoint Manager | 2020-12-02 | 9.0 HIGH | 9.9 CRITICAL |
An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server. | |||||
CVE-2020-28693 | 1 Horizontcms Project | 1 Horizontcms | 2020-11-30 | 9.0 HIGH | 8.8 HIGH |
An unrestricted file upload issue in HorizontCMS 1.0.0-beta allows an authenticated remote attacker to upload PHP code through a zip file by uploading a theme, and executing the PHP file via an HTTP GET request to /themes/<php_file_name> | |||||
CVE-2020-28692 | 1 Gilacms | 1 Gila Cms | 2020-11-30 | 6.5 MEDIUM | 7.2 HIGH |
In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files. | |||||
CVE-2020-28130 | 1 Online Library Management System Project | 1 Online Library Management System | 2020-11-23 | 10.0 HIGH | 9.8 CRITICAL |
An Arbitrary File Upload in the Upload Image component in SourceCodester Online Library Management System 1.0 allows the user to conduct remote code execution via admin/borrower/index.php?view=add because .php files can be uploaded to admin/borrower/photos (under the web root). | |||||
CVE-2020-28140 | 1 Online Clothing Store Project | 1 Online Clothing Store | 2020-11-23 | 7.5 HIGH | 9.8 CRITICAL |
SourceCodester Online Clothing Store 1.0 is affected by an arbitrary file upload via the image upload feature of Products.php. | |||||
CVE-2020-26553 | 1 Aviatrix | 1 Controller | 2020-11-23 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree. | |||||
CVE-2020-23138 | 1 Microweber | 1 Microweber | 2020-11-20 | 7.5 HIGH | 9.8 CRITICAL |
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension. | |||||
CVE-2020-26804 | 1 Sapplica | 1 Sentrifugo | 2020-11-17 | 6.5 MEDIUM | 8.8 HIGH |
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | |||||
CVE-2020-26803 | 1 Sapplica | 1 Sentrifugo | 2020-11-17 | 6.5 MEDIUM | 8.8 HIGH |
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | |||||
CVE-2020-24407 | 1 Magento | 1 Magento | 2020-11-12 | 9.0 HIGH | 9.1 CRITICAL |
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components. | |||||
CVE-2020-11486 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2020-11-05 | 7.5 HIGH | 9.8 CRITICAL |
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution. | |||||
CVE-2020-15277 | 1 Basercms | 1 Basercms | 2020-11-03 | 6.5 MEDIUM | 7.2 HIGH |
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1. | |||||
CVE-2020-27956 | 1 Car Rental Management System Project | 1 Car Rental Management System | 2020-11-03 | 7.5 HIGH | 9.8 CRITICAL |
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root). | |||||
CVE-2015-9228 | 1 Imagely | 1 Nextgen Gallery | 2020-10-29 | 9.0 HIGH | 8.8 HIGH |
In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress, unrestricted file upload is available via the name parameter, if a file extension is changed from .jpg to .php. | |||||
CVE-2020-26583 | 1 Sagedpw | 1 Sage Dpw | 2020-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It allows unauthenticated users to upload JavaScript (in a file) via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include arbitrary HTML or JavaScript code into the affected web page. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware. | |||||
CVE-2019-1861 | 1 Cisco | 1 Industrial Network Director | 2020-10-16 | 9.0 HIGH | 7.2 HIGH |
A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. | |||||
CVE-2020-15488 | 1 Re-desk | 1 Re\ | 2020-10-15 | 5.0 MEDIUM | 7.5 HIGH |
Re:Desk 2.3 allows insecure file upload. |