Total
2642 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-25627 | 2024-02-28 | N/A | 3.5 LOW | ||
Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-6976 | 1 Lfprojects | 1 Mlflow | 2024-02-28 | N/A | 8.8 HIGH |
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process. | |||||
CVE-2023-52086 | 1 Startutorial | 1 Php Backend For Resumable.js | 2024-02-28 | N/A | 8.1 HIGH |
resumable.php (aka PHP backend for resumable.js) 0.1.4 before 3c6dbf5 allows arbitrary file upload anywhere in the filesystem via ../ in multipart/form-data content to upload.php. (File overwrite hasn't been possible with the code available in GitHub in recent years, however.) | |||||
CVE-2023-40051 | 1 Progress | 2 Openedge, Openedge Innovation | 2024-02-28 | N/A | 9.9 CRITICAL |
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE. If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible. | |||||
CVE-2023-25970 | 1 Zendrop | 1 Zendrop | 2024-02-28 | N/A | 9.8 CRITICAL |
Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0. | |||||
CVE-2023-48930 | 1 Rockoa | 1 Xinhu | 2024-02-28 | N/A | 9.8 CRITICAL |
xinhu xinhuoa 2.2.1 contains a File upload vulnerability. | |||||
CVE-2023-48371 | 1 Itpison | 1 Omicard Edm | 2024-02-28 | N/A | 9.8 CRITICAL |
ITPison OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service. | |||||
CVE-2023-6187 | 1 Strangerstudios | 1 Paid Memberships Pro | 2024-02-28 | N/A | 8.8 HIGH |
The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber privileges or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if 2Checkout (deprecated since version 2.6) or PayPal Express is set as the payment method and a custom user field is added that is only visible at profile, and not visible at checkout according to its settings. | |||||
CVE-2023-6636 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2024-02-28 | N/A | 7.2 HIGH |
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspb_save_files' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2023-6220 | 1 Piotnet | 1 Piotnet Forms | 2024-02-28 | N/A | 9.8 CRITICAL |
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2023-31505 | 1 Schlix | 1 Cms | 2024-02-28 | N/A | 7.2 HIGH |
An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file. | |||||
CVE-2023-51928 | 1 Yonyou | 1 Yonbip | 2024-02-28 | N/A | 9.8 CRITICAL |
An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
CVE-2023-49052 | 1 Microweber | 1 Microweber | 2024-02-28 | N/A | 8.8 HIGH |
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. | |||||
CVE-2023-46149 | 1 Themify | 1 Ultra | 2024-02-28 | N/A | 8.8 HIGH |
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. | |||||
CVE-2024-22515 | 1 Ispyconnect | 1 Agent Dvr | 2024-02-28 | N/A | 8.8 HIGH |
Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component. | |||||
CVE-2023-5822 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2024-02-28 | N/A | 9.8 CRITICAL |
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types. | |||||
CVE-2023-42017 | 1 Ibm | 1 Planning Analytics | 2024-02-28 | N/A | 9.8 CRITICAL |
IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567. | |||||
CVE-2023-46264 | 2 Ivanti, Microsoft | 2 Avalanche, Windows | 2024-02-28 | N/A | 9.8 CRITICAL |
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution. | |||||
CVE-2024-24714 | 2024-02-28 | N/A | 7.2 HIGH | ||
Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through 1.1.4. | |||||
CVE-2023-29384 | 1 Hmplugin | 1 Jobwp | 2024-02-28 | N/A | 9.8 CRITICAL |
Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0. |