Vulnerabilities (CVE)

Filtered by CWE-434
Total 2367 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-9472 1 Umbraco 1 Umbraco Cms 2020-03-19 4.0 MEDIUM 6.5 MEDIUM
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.
CVE-2020-10562 1 Devome 1 Grr 2020-03-18 6.5 MEDIUM 7.2 HIGH
An issue was discovered in DEVOME GRR before 3.4.1c. admin_edit_room.php mishandles file uploads.
CVE-2020-10557 1 Atutor 1 Acontent 2020-03-18 6.5 MEDIUM 8.8 HIGH
An issue was discovered in AContent through 1.4. It allows the user to run commands on the server with a low-privileged account. The upload section in the file manager page contains an arbitrary file upload vulnerability via upload.php. The extension .php7 bypasses file upload restrictions.
CVE-2020-6965 1 Gehealthcare 18 Apexpro Telemetry Server, Apexpro Telemetry Server Firmware, Carescape B450 Monitor and 15 more 2020-03-17 6.5 MEDIUM 9.9 CRITICAL
In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package.
CVE-2018-6860 1 Schools Alert Management Script Project 1 Schools Alert Management Script 2020-03-11 6.5 MEDIUM 8.8 HIGH
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture.
CVE-2016-6918 1 Lexmark 1 Markvision Enterprise 2020-03-10 7.5 HIGH 9.8 CRITICAL
Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attackers to execute arbitrary commands by uploading files. (
CVE-2015-7339 1 Widgetfactorylimited 1 Jce 2020-03-10 6.5 MEDIUM 8.8 HIGH
JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a .php file extension for an image file to the /com_jce/editor/libraries/classes/browser.php script.
CVE-2020-9380 1 Whmcssmarters 1 Web Tv Player 2020-03-10 7.5 HIGH 9.8 CRITICAL
IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script.
CVE-2020-5256 1 Bookstackapp 1 Bookstack 2020-03-10 9.0 HIGH 8.8 HIGH
BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.
CVE-2015-7341 1 Joobi 1 Jnews 2020-03-10 6.5 MEDIUM 8.8 HIGH
JNews Joomla Component before 8.5.0 allows arbitrary File Upload via Subscribers or Templates, as demonstrated by the .php5 extension.
CVE-2018-19798 1 Fleetco 1 Fleet Maintenance Management 2020-03-04 6.5 MEDIUM 8.8 HIGH
Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote server. Any authenticated user can exploit this.
CVE-2018-17058 1 Jaba 1 Jaba Xpress 2020-03-04 6.5 MEDIUM 8.8 HIGH
An issue was discovered in JABA XPress Online Shop through 2018-09-14. It contains an arbitrary file upload vulnerability in the picture-upload feature of ProductEdit.aspx. An authenticated attacker may bypass the frontend filename validation and upload an arbitrary file via FileUploader.aspx.cs in FileUploader.aspx by using empty w and h parameters. This file may contain arbitrary aspx code that may be executed by accessing /Jec/ProductImages/<number>/<filename>. Accessing the file once uploaded does not require authentication.
CVE-2016-11020 1 Kunena 1 Kunena 2020-03-03 7.5 HIGH 9.8 CRITICAL
Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
CVE-2011-4908 1 Tiny 1 Tinybrowser 2020-02-25 10.0 HIGH 9.8 CRITICAL
TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php.
CVE-2011-4906 1 Tiny 1 Tinybrowser 2020-02-25 7.5 HIGH 9.8 CRITICAL
Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution.
CVE-2020-6975 1 Digi 3 Connectport Lts 32 Mei, Connectport Lts 32 Mei Bios, Connectport Lts 32 Mei Firmware 2020-02-21 4.0 MEDIUM 4.9 MEDIUM
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application.
CVE-2018-12263 1 Portfoliocms Project 1 Portfoliocms 2020-02-20 6.5 MEDIUM 8.8 HIGH
portfolioCMS 1.0.5 allows upload of arbitrary .php files via the admin/portfolio.php?newpage=true URI.
CVE-2013-2057 1 Yabb 1 Yabb 2020-02-14 7.5 HIGH 9.8 CRITICAL
YaBB through 2.5.2: 'guestlanguage' Cookie Parameter Local File Include Vulnerability
CVE-2013-0803 1 Polarbear Cms Project 1 Polarbear Cms 2020-02-14 7.5 HIGH 9.8 CRITICAL
A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.
CVE-2014-2025 1 Unitedplanet 1 Intrexx 2020-02-13 7.5 HIGH 9.8 CRITICAL
Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unknown vectors.