Total
2367 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-9472 | 1 Umbraco | 1 Umbraco Cms | 2020-03-19 | 4.0 MEDIUM | 6.5 MEDIUM |
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality. | |||||
CVE-2020-10562 | 1 Devome | 1 Grr | 2020-03-18 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in DEVOME GRR before 3.4.1c. admin_edit_room.php mishandles file uploads. | |||||
CVE-2020-10557 | 1 Atutor | 1 Acontent | 2020-03-18 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in AContent through 1.4. It allows the user to run commands on the server with a low-privileged account. The upload section in the file manager page contains an arbitrary file upload vulnerability via upload.php. The extension .php7 bypasses file upload restrictions. | |||||
CVE-2020-6965 | 1 Gehealthcare | 18 Apexpro Telemetry Server, Apexpro Telemetry Server Firmware, Carescape B450 Monitor and 15 more | 2020-03-17 | 6.5 MEDIUM | 9.9 CRITICAL |
In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package. | |||||
CVE-2018-6860 | 1 Schools Alert Management Script Project | 1 Schools Alert Management Script | 2020-03-11 | 6.5 MEDIUM | 8.8 HIGH |
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture. | |||||
CVE-2016-6918 | 1 Lexmark | 1 Markvision Enterprise | 2020-03-10 | 7.5 HIGH | 9.8 CRITICAL |
Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attackers to execute arbitrary commands by uploading files. ( | |||||
CVE-2015-7339 | 1 Widgetfactorylimited | 1 Jce | 2020-03-10 | 6.5 MEDIUM | 8.8 HIGH |
JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a .php file extension for an image file to the /com_jce/editor/libraries/classes/browser.php script. | |||||
CVE-2020-9380 | 1 Whmcssmarters | 1 Web Tv Player | 2020-03-10 | 7.5 HIGH | 9.8 CRITICAL |
IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script. | |||||
CVE-2020-5256 | 1 Bookstackapp | 1 Bookstack | 2020-03-10 | 9.0 HIGH | 8.8 HIGH |
BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability. | |||||
CVE-2015-7341 | 1 Joobi | 1 Jnews | 2020-03-10 | 6.5 MEDIUM | 8.8 HIGH |
JNews Joomla Component before 8.5.0 allows arbitrary File Upload via Subscribers or Templates, as demonstrated by the .php5 extension. | |||||
CVE-2018-19798 | 1 Fleetco | 1 Fleet Maintenance Management | 2020-03-04 | 6.5 MEDIUM | 8.8 HIGH |
Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote server. Any authenticated user can exploit this. | |||||
CVE-2018-17058 | 1 Jaba | 1 Jaba Xpress | 2020-03-04 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in JABA XPress Online Shop through 2018-09-14. It contains an arbitrary file upload vulnerability in the picture-upload feature of ProductEdit.aspx. An authenticated attacker may bypass the frontend filename validation and upload an arbitrary file via FileUploader.aspx.cs in FileUploader.aspx by using empty w and h parameters. This file may contain arbitrary aspx code that may be executed by accessing /Jec/ProductImages/<number>/<filename>. Accessing the file once uploaded does not require authentication. | |||||
CVE-2016-11020 | 1 Kunena | 1 Kunena | 2020-03-03 | 7.5 HIGH | 9.8 CRITICAL |
Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution. | |||||
CVE-2011-4908 | 1 Tiny | 1 Tinybrowser | 2020-02-25 | 10.0 HIGH | 9.8 CRITICAL |
TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php. | |||||
CVE-2011-4906 | 1 Tiny | 1 Tinybrowser | 2020-02-25 | 7.5 HIGH | 9.8 CRITICAL |
Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution. | |||||
CVE-2020-6975 | 1 Digi | 3 Connectport Lts 32 Mei, Connectport Lts 32 Mei Bios, Connectport Lts 32 Mei Firmware | 2020-02-21 | 4.0 MEDIUM | 4.9 MEDIUM |
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application. | |||||
CVE-2018-12263 | 1 Portfoliocms Project | 1 Portfoliocms | 2020-02-20 | 6.5 MEDIUM | 8.8 HIGH |
portfolioCMS 1.0.5 allows upload of arbitrary .php files via the admin/portfolio.php?newpage=true URI. | |||||
CVE-2013-2057 | 1 Yabb | 1 Yabb | 2020-02-14 | 7.5 HIGH | 9.8 CRITICAL |
YaBB through 2.5.2: 'guestlanguage' Cookie Parameter Local File Include Vulnerability | |||||
CVE-2013-0803 | 1 Polarbear Cms Project | 1 Polarbear Cms | 2020-02-14 | 7.5 HIGH | 9.8 CRITICAL |
A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code. | |||||
CVE-2014-2025 | 1 Unitedplanet | 1 Intrexx | 2020-02-13 | 7.5 HIGH | 9.8 CRITICAL |
Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unknown vectors. |