Total
3177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27602 | 1 Apache | 1 Linkis | 2025-02-13 | N/A | 9.8 CRITICAL |
| In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` | |||||
| CVE-2023-0265 | 1 Uvdesk | 1 Community-skeleton | 2025-02-13 | N/A | 8.8 HIGH |
| Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | |||||
| CVE-2023-26857 | 1 Dynamic Transaction Queuing System Project | 1 Dynamic Transaction Queuing System | 2025-02-13 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2025-1070 | 2025-02-13 | N/A | 8.1 HIGH | ||
| CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device inoperable when a malicious file is downloaded. | |||||
| CVE-2020-8260 | 1 Ivanti | 1 Connect Secure | 2025-02-12 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | |||||
| CVE-2023-27033 | 1 Cdesigner Project | 1 Cdesigner | 2025-02-12 | N/A | 9.8 CRITICAL |
| Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent(). | |||||
| CVE-2023-29375 | 1 Progress | 1 Sitefinity | 2025-02-12 | N/A | 9.8 CRITICAL |
| An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector. | |||||
| CVE-2025-26350 | 2025-02-12 | N/A | 4.9 MEDIUM | ||
| A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests. | |||||
| CVE-2024-13714 | 2025-02-12 | N/A | 8.8 HIGH | ||
| The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-1406 | 1 Crocoblock | 1 Jetengine For Elementor | 2025-02-11 | N/A | 8.8 HIGH |
| The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. | |||||
| CVE-2024-7855 | 1 Thimpress | 1 Wp Hotel Booking | 2025-02-11 | N/A | 8.8 HIGH |
| The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-24720 | 1 Readium | 1 Readium-js | 2025-02-11 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in readium-js v0.32.0 allows attackers to execute arbitrary code via uploading a crafted EPUB file. | |||||
| CVE-2020-19802 | 1 Doyocms Project | 1 Doyocms | 2025-02-11 | N/A | 9.8 CRITICAL |
| File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter. | |||||
| CVE-2024-5247 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-11 | N/A | 8.8 HIGH |
| NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22923. | |||||
| CVE-2023-27179 | 1 Gdidees | 1 Gdidees Cms | 2025-02-11 | N/A | 7.5 HIGH |
| GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php. | |||||
| CVE-2023-27178 | 1 Gdidees | 1 Gdidees Cms | 2025-02-11 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2024-4809 | 1 Nikhil-bhalerao | 1 Open Source Clinic Management System | 2025-02-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in SourceCodester Open Source Clinic Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file setting.php. The manipulation of the argument logo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263929 was assigned to this vulnerability. | |||||
| CVE-2024-4820 | 1 Oretnom23 | 1 Online Computer And Laptop Store | 2025-02-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /classes/SystemSettings.php?f=update_settings. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263941 was assigned to this vulnerability. | |||||
| CVE-2024-5518 | 1 Emiloimagtolis | 1 Online Discussion Forum | 2025-02-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown part of the file change_profile_picture.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266589 was assigned to this vulnerability. | |||||
| CVE-2024-57408 | 2025-02-11 | N/A | 7.2 HIGH | ||
| An arbitrary file upload vulnerability in the component /comm/upload of cool-admin-java v1.0 allows attackers to execute arbitrary code via uploading a crafted file. | |||||