Total
1114 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-18912 | 1 Earcms | 1 Ear | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue found in Earcms Ear App v.20181124 allows a remote attacker to execute arbitrary code via the uload/index-uplog.php. | |||||
| CVE-2020-18879 | 1 Bludit | 1 Bludit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'. | |||||
| CVE-2020-18704 | 1 Fusionbox | 1 Widgy | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'. | |||||
| CVE-2020-18432 | 1 Sem-cms | 1 Semcms | 2024-11-21 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in SEMCMS PHP 3.7 allows remote attackers to upload arbitrary files and gain escalated privileges. | |||||
| CVE-2020-18261 | 1 Ed01-cms Project | 1 Ed01-cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands. | |||||
| CVE-2020-18166 | 1 Laobancms | 1 Laobancms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc". | |||||
| CVE-2020-18114 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format. | |||||
| CVE-2020-14067 | 1 Naviwebs | 1 Navigatecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The install_from_hash functionality in Navigate CMS 2.9 does not consider the .phtml extension when examining files within a ZIP archive that may contain PHP code, in check_upload in lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php. | |||||
| CVE-2020-13774 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
| An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server. | |||||
| CVE-2020-13675 | 1 Drupal | 1 Drupal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. | |||||
| CVE-2020-13442 | 1 Dext5 | 1 Dext5 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/. | |||||
| CVE-2020-13126 | 1 Elementor | 1 Elementor Page Builder | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected. | |||||
| CVE-2020-12843 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used. | |||||
| CVE-2020-12828 | 1 Pango | 1 Virtual Private Network Software Development Kit | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges. | |||||
| CVE-2020-12800 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. | |||||
| CVE-2020-11817 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | |||||
| CVE-2020-11815 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | |||||
| CVE-2020-11811 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbitrary command on the server using this malicious file. | |||||
| CVE-2020-11722 | 1 Dungeon Crawl Stone Soup Project | 1 Dungeon Crawl Stone Soup | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file. | |||||
| CVE-2020-11486 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution. | |||||