Total
2646 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-2058 | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM | ||
A vulnerability was found in SourceCodester Petrol Pump Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/product.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255373 was assigned to this vulnerability. | |||||
CVE-2024-29974 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. | |||||
CVE-2024-29891 | 2024-11-21 | N/A | 8.7 HIGH | ||
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. | |||||
CVE-2024-29859 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. | |||||
CVE-2024-29848 | 2024-11-21 | N/A | 7.2 HIGH | ||
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM. | |||||
CVE-2024-29661 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload. | |||||
CVE-2024-29515 | 2024-11-21 | N/A | 8.8 HIGH | ||
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component. | |||||
CVE-2024-29514 | 2024-11-21 | N/A | 8.8 HIGH | ||
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
CVE-2024-29387 | 2024-11-21 | N/A | 8.8 HIGH | ||
projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php. | |||||
CVE-2024-29368 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content. | |||||
CVE-2024-29272 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. | |||||
CVE-2024-29135 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15. | |||||
CVE-2024-29100 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4. | |||||
CVE-2024-28890 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. | |||||
CVE-2024-28713 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature. | |||||
CVE-2024-28520 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component. | |||||
CVE-2024-28441 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint. | |||||
CVE-2024-28425 | 2024-11-21 | N/A | 7.5 HIGH | ||
greykite v1.0.0 was discovered to contain an arbitrary file upload vulnerability in the load_obj function at /templates/pickle_utils.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file. | |||||
CVE-2024-28423 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file upload vulnerability in the unsafe_load function at cli.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted YML file. | |||||
CVE-2024-28418 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php |