Vulnerabilities (CVE)

Filtered by CWE-434
Total 2646 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-2058 2024-11-21 5.8 MEDIUM 4.7 MEDIUM
A vulnerability was found in SourceCodester Petrol Pump Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/product.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255373 was assigned to this vulnerability.
CVE-2024-29974 2024-11-21 N/A 9.8 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
CVE-2024-29891 2024-11-21 N/A 8.7 HIGH
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
CVE-2024-29859 2024-11-21 N/A 9.8 CRITICAL
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
CVE-2024-29848 2024-11-21 N/A 7.2 HIGH
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.
CVE-2024-29661 2024-11-21 N/A 9.8 CRITICAL
A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload.
CVE-2024-29515 2024-11-21 N/A 8.8 HIGH
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component.
CVE-2024-29514 2024-11-21 N/A 8.8 HIGH
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2024-29387 2024-11-21 N/A 8.8 HIGH
projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php.
CVE-2024-29368 2024-11-21 N/A 6.5 MEDIUM
An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content.
CVE-2024-29272 2024-11-21 N/A 6.5 MEDIUM
Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.
CVE-2024-29135 2024-11-21 N/A 9.9 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15.
CVE-2024-29100 2024-11-21 N/A 9.1 CRITICAL
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
CVE-2024-28890 2024-11-21 N/A 5.3 MEDIUM
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.
CVE-2024-28713 2024-11-21 N/A 9.8 CRITICAL
An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature.
CVE-2024-28520 2024-11-21 N/A 6.5 MEDIUM
File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component.
CVE-2024-28441 2024-11-21 N/A 9.8 CRITICAL
File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint.
CVE-2024-28425 2024-11-21 N/A 7.5 HIGH
greykite v1.0.0 was discovered to contain an arbitrary file upload vulnerability in the load_obj function at /templates/pickle_utils.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-28423 2024-11-21 N/A 9.8 CRITICAL
Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file upload vulnerability in the unsafe_load function at cli.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted YML file.
CVE-2024-28418 2024-11-21 N/A 6.5 MEDIUM
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php