Vulnerabilities (CVE)

Filtered by CWE-434
Total 2604 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-7316 1 Christianwebministries 1 Proclaim 2024-02-28 7.5 HIGH 9.8 CRITICAL
Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action.
CVE-2018-11340 1 Asustor 2 As6202t, As6202t Firmware 2024-02-28 9.0 HIGH 7.2 HIGH
An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed.
CVE-2018-5997 1 Ravpower 1 Filehub Firmware 2024-02-28 10.0 HIGH 9.8 CRITICAL
An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Due to an unrestricted upload feature and a path traversal vulnerability, it is possible to upload a file on a filesystem with root privileges: this will lead to remote code execution as root.
CVE-2018-11221 1 Artica 1 Pandora Fms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system.
CVE-2018-11091 1 Mybiz 1 Myprocurenet 2024-02-28 9.0 HIGH 9.9 CRITICAL
An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as a legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server.
CVE-2018-10760 1 Projectpier 1 Projectpier 2024-02-28 6.5 MEDIUM 8.8 HIGH
Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the tmp directory under the document root.
CVE-2018-12045 1 Dedecms 1 Dedecms 2024-02-28 7.5 HIGH 9.8 CRITICAL
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file.
CVE-2017-17976 1 Perfexcrm 1 Perfex Crm 2024-02-28 7.5 HIGH 9.8 CRITICAL
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.
CVE-2018-0587 1 Ultimatemember 1 User Profile \& Membership 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.
CVE-2018-8766 1 Joyplus-cms Project 1 Joyplus-cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbitrary File Upload issue in manager/editor/upload.php, related to manager/admin_vod.php?action=add.
CVE-2018-4834 1 Siemens 10 Pxc001-e.d, Pxc001-e.d Firmware, Pxc00\/50\/100\/200-e.d and 7 more 2024-02-28 10.0 HIGH 9.8 CRITICAL
A vulnerability has been identified in Desigo PXC00-E.D V4.10 (All versions < V4.10.111), Desigo PXC00-E.D V5.00 (All versions < V5.0.171), Desigo PXC00-E.D V5.10 (All versions < V5.10.69), Desigo PXC00-E.D V6.00 (All versions < V6.0.204), Desigo PXC00/64/128-U V4.10 (All versions < V4.10.111 only with web module), Desigo PXC00/64/128-U V5.00 (All versions < V5.0.171 only with web module), Desigo PXC00/64/128-U V5.10 (All versions < V5.10.69 only with web module), Desigo PXC00/64/128-U V6.00 (All versions < V6.0.204 only with web module), Desigo PXC001-E.D V4.10 (All versions < V4.10.111), Desigo PXC001-E.D V5.00 (All versions < V5.0.171), Desigo PXC001-E.D V5.10 (All versions < V5.10.69), Desigo PXC001-E.D V6.00 (All versions < V6.0.204), Desigo PXC100-E.D V4.10 (All versions < V4.10.111), Desigo PXC100-E.D V5.00 (All versions < V5.0.171), Desigo PXC100-E.D V5.10 (All versions < V5.10.69), Desigo PXC100-E.D V6.00 (All versions < V6.0.204), Desigo PXC12-E.D V4.10 (All versions < V4.10.111), Desigo PXC12-E.D V5.00 (All versions < V5.0.171), Desigo PXC12-E.D V5.10 (All versions < V5.10.69), Desigo PXC12-E.D V6.00 (All versions < V6.0.204), Desigo PXC200-E.D V4.10 (All versions < V4.10.111), Desigo PXC200-E.D V5.00 (All versions < V5.0.171), Desigo PXC200-E.D V5.10 (All versions < V5.10.69), Desigo PXC200-E.D V6.00 (All versions < V6.0.204), Desigo PXC22-E.D V4.10 (All versions < V4.10.111), Desigo PXC22-E.D V5.00 (All versions < V5.0.171), Desigo PXC22-E.D V5.10 (All versions < V5.10.69), Desigo PXC22-E.D V6.00 (All versions < V6.0.204), Desigo PXC22.1-E.D V4.10 (All versions < V4.10.111), Desigo PXC22.1-E.D V5.00 (All versions < V5.0.171), Desigo PXC22.1-E.D V5.10 (All versions < V5.10.69), Desigo PXC22.1-E.D V6.00 (All versions < V6.0.204), Desigo PXC36.1-E.D V4.10 (All versions < V4.10.111), Desigo PXC36.1-E.D V5.00 (All versions < V5.0.171), Desigo PXC36.1-E.D V5.10 (All versions < V5.10.69), Desigo PXC36.1-E.D V6.00 (All versions < V6.0.204), Desigo PXC50-E.D V4.10 (All versions < V4.10.111), Desigo PXC50-E.D V5.00 (All versions < V5.0.171), Desigo PXC50-E.D V5.10 (All versions < V5.10.69), Desigo PXC50-E.D V6.00 (All versions < V6.0.204), Desigo PXM20-E V4.10 (All versions < V4.10.111), Desigo PXM20-E V5.00 (All versions < V5.0.171), Desigo PXM20-E V5.10 (All versions < V5.10.69), Desigo PXM20-E V6.00 (All versions < V6.0.204). A remote attacker with network access to the device could potentially upload a new firmware image to the devices without prior authentication.
CVE-2018-5749 2 Minecraft Servers List Lite Project, Premium Minecraft Servers List Project 2 Minecraft Servers List Lite, Premium Minecraft Servers List 2024-02-28 10.0 HIGH 9.8 CRITICAL
install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the (1) database_server, (2) database_user, (3) database_password, or (4) database_name parameter.
CVE-2018-6860 1 Schools Alert Management Script Project 1 Schools Alert Management Script 2024-02-28 6.5 MEDIUM 8.8 HIGH
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture.
CVE-2018-7505 1 Advantech 4 Webaccess, Webaccess\/nms, Webaccess Dashboard and 1 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-11098 1 Frog Cms Project 1 Frog Cms 2024-02-28 6.5 MEDIUM 7.2 HIGH
An issue was discovered in Frog CMS 0.9.5. There is a file upload vulnerability via the admin/?/plugin/file_manager/upload URI, a similar issue to CVE-2014-4912.
CVE-2018-0258 1 Cisco 2 Prime Data Center Network Manager, Prime Infrastructure 2024-02-28 10.0 HIGH 9.8 CRITICAL
A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute those files. This vulnerability affects the following products: Cisco Prime Data Center Network Manager (DCNM) Version 10.0 and later, and Cisco Prime Infrastructure (PI) All versions. Cisco Bug IDs: CSCvf32411, CSCvf81727.
CVE-2018-8944 1 Phpok 1 Phpok 2024-02-28 7.5 HIGH 9.8 CRITICAL
PHPOK 4.8.338 has an arbitrary file upload vulnerability.
CVE-2018-13038 1 Opendesa 1 Opensid 2024-02-28 7.5 HIGH 9.8 CRITICAL
OpenSID 18.06-pasca has an Unrestricted File Upload vulnerability via an Attachment Document in the article feature. This vulnerability leads to uploading arbitrary PHP code via a .php filename with the application/pdf Content-Type.
CVE-2014-2592 1 Arubanetworks 1 Web Management Portal 2024-02-28 7.5 HIGH 9.8 CRITICAL
Unrestricted file upload vulnerability in Aruba Web Management portal allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
CVE-2018-1000619 1 Ovidentia 1 Ovidentia 2024-02-28 6.5 MEDIUM 8.8 HIGH
Ovidentia version 8.4.3 and earlier contains a Unsanitized User Input vulnerability in utilit.php, bab_getAddonFilePathfromTg that can result in Authenticated Remote Code Execution. This attack appear to be exploitable via The attacker must have permission to upload addons.