Total
3433 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40531 | 2 Apple, Sketch | 2 Macos, Sketch | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app. | |||||
| CVE-2021-40344 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution. | |||||
| CVE-2021-40324 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | |||||
| CVE-2021-40189 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary code. | |||||
| CVE-2021-40188 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server. | |||||
| CVE-2021-40175 | 1 Zohocorp | 1 Manageengine Log360 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. | |||||
| CVE-2021-3915 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-3906 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-3846 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-3832 | 1 Artica | 1 Integria Ims | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Integria IMS in its 5.0.92 version is vulnerable to a Remote Code Execution attack through file uploading. An unauthenticated attacker could abuse the AsyncUpload() function in order to exploit the vulnerability. | |||||
| CVE-2021-3745 | 1 Flatcore | 1 Flatcore-cms | 2024-11-21 | 6.0 MEDIUM | 6.6 MEDIUM |
| flatcore-cms is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-3378 | 1 Fortilogger | 1 Fortilogger | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp. | |||||
| CVE-2021-3277 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files. | |||||
| CVE-2021-3166 | 1 Asus | 2 Dsl-n14u B1, Dsl-n14u B1 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in a persistent outage of those services. | |||||
| CVE-2021-3164 | 1 Churchdesk | 1 Churchrota | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php. | |||||
| CVE-2021-3120 | 1 Yithemes | 1 Yith Woocommerce Gift Cards | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a valid Gift Card product into the shopping cart. An uploaded file is placed at a predetermined path on the web server with a user-specified filename and extension. This occurs because the ywgc-upload-picture parameter can have a .php value even though the intention was to only allow uploads of Gift Card images. | |||||
| CVE-2021-39608 | 1 Flatcore | 1 Flatcore-cms | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code. | |||||
| CVE-2021-39384 | 1 Diaowen | 1 Dwsurvey | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| DWSurvey v3.2.0 was discovered to contain an arbitrary file write vulnerability via the component /utils/ToHtmlServlet.java. | |||||
| CVE-2021-39352 | 1 Catchplugins | 1 Catch Themes Demo Import | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution. | |||||
| CVE-2021-39317 | 1 Accesspressthemes | 43 Access Demo Importer, Accesspress-basic, Accesspress-lite and 40 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9 | |||||