Vulnerabilities (CVE)

Filtered by CWE-434
Total 2641 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-41626 1 Gradio Project 1 Gradio 2024-02-28 N/A 4.8 MEDIUM
Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.
CVE-2023-4159 1 Omeka 1 Omeka S 2024-02-28 N/A 8.8 HIGH
Unrestricted Upload of File with Dangerous Type in GitHub repository omeka/omeka-s prior to 4.0.3.
CVE-2023-1720 1 Bitrix24 1 Bitrix24 2024-02-28 N/A 8.0 HIGH
Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.
CVE-2023-43838 1 Personal-management-system 1 Personal Management System 2024-02-28 N/A 7.8 HIGH
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows attackers to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.
CVE-2023-45384 1 Knowband 1 Supercheckout 2024-02-28 N/A 9.8 CRITICAL
KnowBand supercheckout > 5.0.7 and < 6.0.7 is vulnerable to Unrestricted Upload of File with Dangerous Type. In the module "Module One Page Checkout, Social Login & Mailchimp" (supercheckout), a guest can upload files with extensions .php
CVE-2023-38404 1 Veritas 1 Infoscale Operations Manager 2024-02-28 N/A 8.8 HIGH
The XPRTLD web application in Veritas InfoScale Operations Manager (VIOM) before 8.0.0.410 allows an authenticated attacker to upload all types of files to the server. An authenticated attacker can then execute the malicious file to perform command execution on the remote server.
CVE-2023-34394 1 Keysight 1 Geolocation Server 2024-02-28 N/A 7.8 HIGH
In Keysight Geolocation Server v2.4.2 and prior, an attacker could upload a specially crafted malicious file or delete any file or directory with SYSTEM privileges due to an improper path validation, which could result in local privilege escalation or a denial-of-service condition.
CVE-2023-4817 1 Icpdas 2 Et-7060, Et-7060 Firmware 2024-02-28 N/A 8.8 HIGH
This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device.
CVE-2023-41357 1 Gss 1 Vitals Enterprise Social Platform 2024-02-28 N/A 8.8 HIGH
Galaxy Software Services Corporation Vitals ESP is an online knowledge base management portal, it has insufficient filtering and validation during file upload. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary directories to perform arbitrary system operations or disrupt service.
CVE-2023-46428 1 Hadsky 1 Hadsky 2024-02-28 N/A 8.8 HIGH
An arbitrary file upload vulnerability in HadSky v7.12.10 allows attackers to execute arbitrary code via a crafted file.
CVE-2023-45952 1 Lylme 1 Lylme Spage 2024-02-28 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the component ajax_link.php of lylme_spage v1.7.0 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2023-44008 1 Mojoportal 1 Mojoportal 2024-02-28 N/A 9.8 CRITICAL
File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function.
CVE-2023-5185 1 Projectworlds 1 Gym Management System Project 2024-02-28 N/A 8.8 HIGH
Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
CVE-2023-31941 1 Online Travel Agency System Project 1 Online Travel Agency System 2024-02-28 N/A 7.2 HIGH
File Upload vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via a crafted PHP file to the employee_insert.php.
CVE-2023-27083 1 Pluck-cms 1 Pluck 2024-02-28 N/A 7.2 HIGH
An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.
CVE-2022-33166 1 Ibm 1 Security Directory Suite Va 2024-02-28 N/A 7.2 HIGH
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 228586.
CVE-2023-33386 1 Marsctf Project 1 Marsctf 2024-02-28 N/A 9.8 CRITICAL
MarsCTF 1.2.1 has an arbitrary file upload vulnerability in the interface for uploading attachments in the background.
CVE-2023-33569 1 Faculty Evaluation System Project 1 Faculty Evaluation System 2024-02-28 N/A 7.2 HIGH
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via ip/eval/ajax.php?action=update_user.
CVE-2023-3491 1 Fossbilling 1 Fossbilling 2024-02-28 N/A 8.8 HIGH
Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3.
CVE-2023-33404 1 Blogengine 1 Blogengine.net 2024-02-28 N/A 9.8 CRITICAL
An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code.