Total
2655 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10478 | 1 Glory-global | 2 Rbw-100, Rbw-100 Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered on Glory RBW-100 devices with firmware ISP-K05-02 7.0.0. An unrestricted file upload vulnerability in the Front Circle Controller glytoolcgi/settingfile_upload.cgi allows attackers to upload supplied data. This can be used to place attacker controlled code on the filesystem that can be executed and can lead to a reverse root shell. | |||||
| CVE-2019-10276 | 1 Cobub | 1 Razor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Western Bridge Cobub Razor 0.8.0 has a file upload vulnerability via the web/assets/swf/uploadify.php URI, as demonstrated by a .php file with the image/jpeg content type. | |||||
| CVE-2019-10267 | 1 Ahsay | 1 Cloud Backup Suite | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator). | |||||
| CVE-2019-10012 | 2 Jenzabar, Tiny | 2 Internet Campus Solution, Moxiemanager | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| Jenzabar JICS (aka Internet Campus Solution) before 9 allows remote attackers to upload and execute arbitrary .aspx code by placing it in a ZIP archive and using the MoxieManager (for .NET) plugin before 2.1.4 in the moxiemanager directory within the installation folder ICS\ICS.NET\ICSFileServer. | |||||
| CVE-2019-1010209 | 1 Gorul | 1 Gourl | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| GoUrl.io GoURL Wordpress Plugin 1.4.13 and earlier is affected by: CWE-434. The impact is: unauthenticated/unzuthorized Attacker can upload executable file in website. The component is: gourl.php#L5637. The fixed version is: 1.4.14. | |||||
| CVE-2019-1010123 | 1 Modx | 1 Modx Revolution | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php. | |||||
| CVE-2019-1010062 | 1 Pluck-cms | 1 Pluckcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8. | |||||
| CVE-2019-0327 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. | |||||
| CVE-2019-0259 | 1 Sap | 1 Businessobjects | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. | |||||
| CVE-2019-0017 | 1 Juniper | 1 Junos Space | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| The Junos Space application, which allows Device Image files to be uploaded, has insufficient validity checking which may allow uploading of malicious images or scripts, or other content types. Affected releases are Juniper Networks Junos Space versions prior to 18.3R1. | |||||
| CVE-2018-9209 | 1 Fineuploader | 1 Php-traditional-server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2 | |||||
| CVE-2018-9208 | 1 Tuyoshi | 1 Jquery Picture Cut | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta | |||||
| CVE-2018-9207 | 1 Hayageek | 1 Jquery Upload File | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload in jQuery Upload File <= 4.0.2 | |||||
| CVE-2018-9206 | 1 Jquery File Upload Project | 1 Jquery File Upload | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0 | |||||
| CVE-2018-9157 | 1 Axis | 2 M1033-w, M1033-w Firmware | 2024-11-21 | 7.6 HIGH | 7.5 HIGH |
| An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality | |||||
| CVE-2018-9156 | 1 Axis | 2 P1354, P1354 Firmware | 2024-11-21 | 7.6 HIGH | 7.5 HIGH |
| An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality | |||||
| CVE-2018-9153 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF. | |||||
| CVE-2018-9037 | 1 Monstra | 1 Monstra | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files. | |||||
| CVE-2018-8944 | 1 Phpok | 1 Phpok | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PHPOK 4.8.338 has an arbitrary file upload vulnerability. | |||||
| CVE-2018-8766 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbitrary File Upload issue in manager/editor/upload.php, related to manager/admin_vod.php?action=add. | |||||