Total
2960 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16131 | 1 Phpok | 1 Oklite | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary File Upload Vulnerability because a .php file from a ZIP archive can be written to /data/cache/. | |||||
| CVE-2019-16066 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An unrestricted file upload vulnerability exists in user and system file upload functions in NETSAS Enigma NMS 65.0.0 and prior. This allows an attacker to upload malicious files and perform arbitrary code execution on the system. | |||||
| CVE-2019-15936 | 1 Intesync | 1 Solismed | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Intesync Solismed 3.3sp allows Insecure File Upload. | |||||
| CVE-2019-15866 | 1 Crelly Slider Project | 1 Crelly Slider | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The crelly-slider plugin before 1.3.5 for WordPress has arbitrary file upload via a PHP file inside a ZIP archive to wp_ajax_crellyslider_importSlider. | |||||
| CVE-2019-15862 | 1 Cksource | 1 Ckfinder | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP. | |||||
| CVE-2019-15843 | 1 Mi | 1 Xiaomi Millet Firmware | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or malicious file writing. | |||||
| CVE-2019-15813 | 1 Sentrifugo | 1 Sentrifugo | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell. | |||||
| CVE-2019-15751 | 1 Sitos | 1 Sitos Six | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An unrestricted file upload vulnerability in SITOS six Build v6.2.1 allows remote attackers to execute arbitrary code by uploading a SCORM file with an executable extension. This allows an unauthenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to the web root of the application. | |||||
| CVE-2019-15748 | 1 Sitos | 1 Sitos Six | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SITOS six Build v6.2.1 permits unauthorised users to upload and import a SCORM 2004 package by browsing directly to affected pages. An unauthenticated attacker could use the upload and import functionality to import a malicious SCORM package that includes a PHP file, which could execute arbitrary PHP code. | |||||
| CVE-2019-15649 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload. | |||||
| CVE-2019-15524 | 1 Cszcms | 1 Csz Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI. | |||||
| CVE-2019-15131 | 1 Code42 | 1 Code42 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 a vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed. This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution. | |||||
| CVE-2019-15130 | 1 Humanica | 1 Humatrix 7 | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parameter. Moreover, the attacker can upload executable content (e.g., asp or aspx) for executing OS commands on the server. | |||||
| CVE-2019-15123 | 1 Vikisolutions | 1 Vera | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Branding Module in Viki Vera 4.9.1.26180 allows an authenticated user to change the logo on the website. An attacker could use this to upload a malicious .aspx file and gain Remote Code Execution on the site. | |||||
| CVE-2019-15091 | 1 Artica | 1 Integria Ims | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload. | |||||
| CVE-2019-14916 | 1 Prise | 1 Adas | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. A file's format is not properly checked, leading to an unrestricted file upload. | |||||
| CVE-2019-14768 | 1 Dimo-crm | 1 Yellowbox Crm | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An Arbitrary File Upload issue in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to deploy a new WebApp WAR file to the Tomcat server via Path Traversal, allowing remote code execution with SYSTEM privileges. | |||||
| CVE-2019-14755 | 1 Leaftecnologia | 1 Leaf Admin | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type. | |||||
| CVE-2019-14748 | 1 Osticket | 1 Osticket | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment. | |||||
| CVE-2019-14657 | 1 Yeahlink | 6 T49g, T49g Firmware, T58v and 3 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root. | |||||