Total
2604 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11028 | 1 Gatship | 1 Web Module | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| GAT-Ship Web Module before 1.40 suffers from a vulnerability allowing authenticated attackers to upload any file type to the server via the "Documents" area. This vulnerability is related to "uploadDocFile.aspx". | |||||
| CVE-2019-13294 | 1 Arox | 1 School-erp | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system. | |||||
| CVE-2019-1010209 | 1 Gorul | 1 Gourl | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| GoUrl.io GoURL Wordpress Plugin 1.4.13 and earlier is affected by: CWE-434. The impact is: unauthenticated/unzuthorized Attacker can upload executable file in website. The component is: gourl.php#L5637. The fixed version is: 1.4.14. | |||||
| CVE-2018-20526 | 1 Roxyfileman | 1 Roxy Fileman | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php. | |||||
| CVE-2019-13976 | 1 Egain | 1 Chat | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| eGain Chat 15.0.3 allows unrestricted file upload. | |||||
| CVE-2019-10869 | 1 Ninjaforms | 1 Ninja Forms File Uploads | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters. | |||||
| CVE-2017-18592 | 1 Wc-marketplace | 1 Wc Catalog Enquiry | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads. | |||||
| CVE-2019-8371 | 1 Open-emr | 1 Openemr | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| OpenEMR v5.0.1-6 allows code execution. | |||||
| CVE-2019-10652 | 1 Flatcore | 1 Flatcore | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature. | |||||
| CVE-2019-3960 | 1 Wallaceit | 1 Wallacepos | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file. | |||||
| CVE-2019-3495 | 1 Indionetworks | 2 Unibox, Unibox Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials. | |||||
| CVE-2018-19612 | 1 Westermo | 6 Dr-250, Dr-250 Firmware, Dr-260 and 3 more | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| The /uploadfile? functionality in Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers allows remote users to upload malicious file types and execute ASP code. | |||||
| CVE-2015-5601 | 1 Edx | 1 Edx-platform | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files. | |||||
| CVE-2019-11447 | 1 Cutephp | 1 Cutenews | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.) | |||||
| CVE-2019-9692 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). | |||||
| CVE-2019-11401 | 1 Siteserver | 1 Siteserver Cms | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted. | |||||
| CVE-2019-7257 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
| Linear eMerge E3-Series devices allow Unrestricted File Upload. | |||||
| CVE-2018-18572 | 1 Oscommerce | 1 Oscommerce | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | |||||
| CVE-2019-9825 | 1 Feifeicms | 1 Feifeicms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| FeiFeiCMS 4.1.190209 allows remote attackers to upload and execute arbitrary PHP code by visiting index.php?s=Admin-Index to modify the set of allowable file extensions, as demonstrated by adding php to the default jpg,gif,png,jpeg setting, and then using the "add article" feature. | |||||
| CVE-2019-10959 | 1 Bd | 10 Alaris Cc Syringe Pump, Alaris Cc Syringe Pump Firmware, Alaris Gateway Workstation and 7 more | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
| BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, 1.3.1 Build 13, This does not impact the latest firmware Versions 1.3.2 and 1.6.1, Additionally, the following products using software Version 2.3.6 and below, Alaris GS, Alaris GH, Alaris CC, Alaris TIVA, The application does not restrict the upload of malicious files during a firmware update. | |||||