Total
1117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45411 | 1 Printable Staff Id Card Creator System Project | 1 Printable Staff Id Card Creator System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution. | |||||
| CVE-2021-45040 | 1 Spatie | 1 Laravel Media Library | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route. | |||||
| CVE-2021-44164 | 1 Chinasea | 1 Qb Smart Service Robot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service. | |||||
| CVE-2021-44159 | 1 4mosan | 1 Gcb Doctor | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| 4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or deny of service attack. | |||||
| CVE-2021-44093 | 1 Zrlog | 1 Zrlog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell | |||||
| CVE-2021-44031 | 1 Quest | 1 Kace Desktop Authority | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx contains a vulnerability that could allow pre-authentication remote code execution. An attacker could upload a .ASP file to reside at /images/{GUID}/{filename}. | |||||
| CVE-2021-43936 | 1 Webhmi | 2 Webhmi, Webhmi Firmware | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution. | |||||
| CVE-2021-43934 | 1 Smartptt | 1 Smartptt Scada | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files. | |||||
| CVE-2021-43617 | 1 Laravel | 1 Framework | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload. | |||||
| CVE-2021-43421 | 1 Std42 | 1 Elfinder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. | |||||
| CVE-2021-43117 | 1 Fastadmin | 1 Fastadmin | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access. | |||||
| CVE-2021-42967 | 1 Novel-plus Project | 1 Novel-plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker to upload malicious JSP files. | |||||
| CVE-2021-42675 | 1 Kreado | 1 Kreasfero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution. | |||||
| CVE-2021-42669 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id. | |||||
| CVE-2021-42654 | 1 Sscms | 1 Siteserver Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SiteServer CMS < V5.1 is affected by an unrestricted upload of a file with dangerous type (getshell), which could be used to execute arbitrary code. | |||||
| CVE-2021-42645 | 1 Cmsimple-xh | 1 Cmsimple Xh | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable host. | |||||
| CVE-2021-42342 | 1 Embedthis | 1 Goahead | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts. | |||||
| CVE-2021-42099 | 1 Zohocorp | 1 Manageengine M365 Manager Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution. | |||||
| CVE-2021-41921 | 1 Novel-plus Project | 1 Novel-plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution. | |||||
| CVE-2021-41833 | 1 Zohocorp | 1 Manageengine Patch Connect Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution. | |||||