Total
2590 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-12491 | 1 Phpok | 1 Phpok | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
PHPOK 4.9.032 has an arbitrary file upload vulnerability in the import_f function in framework/admin/modulec_control.php, as demonstrated by uploading a .php file within a .php.zip archive, a similar issue to CVE-2018-8944. | |||||
CVE-2018-7562 | 1 Glpi-project | 1 Glpi | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php. | |||||
CVE-2018-12519 | 1 Codenx | 1 Shopnx | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials. | |||||
CVE-2017-18048 | 1 Monstra | 1 Monstra | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not. | |||||
CVE-2018-3758 | 1 Express-cart Project | 1 Express-cart | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine. | |||||
CVE-2018-10577 | 1 Watchguard | 8 Ap100, Ap100 Firmware, Ap102 and 5 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. File upload functionality allows any users authenticated on the web interface to upload files containing code to the web root, allowing these files to be executed as root. | |||||
CVE-2018-11322 | 1 Joomla | 1 Joomla\! | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver. | |||||
CVE-2018-7217 | 1 Tejari | 1 Bravo Solution | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In Bravo Tejari Procurement Portal, uploaded files are not properly validated by the application either on the client or the server side. An attacker can take advantage of this vulnerability and upload malicious executable files to compromise the application, as demonstrated by an esop/evm/OPPreliminaryForms.do?formId=857 request. | |||||
CVE-2017-1499 | 1 Ibm | 2 Maximo Asset Management, Maximo Asset Management Essentials | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker to include arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable Web server. IBM X-Force ID: 129106. | |||||
CVE-2018-0571 | 1 Basercms | 1 Basercms | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote attackers with a site operator privilege to upload arbitrary files. | |||||
CVE-2018-6411 | 1 Machform | 1 Machform | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection. | |||||
CVE-2018-7665 | 1 Clip-bucket | 1 Clipbucket | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered in ClipBucket before 4.0.0 Release 4902. A malicious file can be uploaded via the name parameter to actions/beats_uploader.php or actions/photo_uploader.php, or the coverPhoto parameter to edit_account.php. | |||||
CVE-2018-1453 | 1 Ibm | 1 Security Identity Manager | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
IBM Security Identity Manager Virtual Appliance 7.0 allows an authenticated attacker to upload or transfer files of dangerous types that can be automatically processed within the environment. IBM X-Force ID: 140055. | |||||
CVE-2018-9153 | 1 Zblogcn | 1 Z-blogphp | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF. | |||||
CVE-2017-14521 | 1 Wondercms | 1 Wondercms | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload. | |||||
CVE-2018-11736 | 1 Pluck-cms | 1 Pluck | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file. | |||||
CVE-2018-1000094 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension. | |||||
CVE-2016-10258 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2024-02-28 | 6.0 MEDIUM | 6.8 MEDIUM |
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code. | |||||
CVE-2018-12528 | 1 Intex | 2 N150, N150 Firmware | 2024-02-28 | 7.5 HIGH | 8.1 HIGH |
An issue was discovered on Intex N150 devices. The backup/restore option does not check the file extension uploaded for importing a configuration files backup, which can lead to corrupting the router firmware settings or even the uploading of malicious files. In order to exploit the vulnerability, an attacker can upload any malicious file and force reboot the router with it. | |||||
CVE-2018-4921 | 1 Adobe | 1 Connect | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Adobe Connect versions 9.7 and earlier have an exploitable unrestricted SWF file upload vulnerability. Successful exploitation could lead to information disclosure. |