Total
2451 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51034 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2024-09-09 | N/A | 9.8 CRITICAL |
| TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi UploadFirmwareFile interface. | |||||
| CVE-2024-44849 | 2024-09-09 | N/A | 9.8 CRITICAL | ||
| Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php. | |||||
| CVE-2024-34692 | 1 Sap | 1 Enable Now | 2024-09-09 | N/A | 4.6 MEDIUM |
| Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application. | |||||
| CVE-2024-39865 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-09-09 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution. | |||||
| CVE-2024-7620 | 2024-09-09 | N/A | 6.6 MEDIUM | ||
| The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created. | |||||
| CVE-2022-2297 | 1 Oretnom23 | 1 Clinic\'s Patient Management System | 2024-09-07 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as critical, was found in SourceCodester Clinics Patient Management System 2.0. Affected is an unknown function of the file /pms/update_user.php?user_id=1. The manipulation of the argument profile_picture with the input <?php phpinfo();?> leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-40471 | 1 Oretnom23 | 1 Clinic\'s Patient Management System | 2024-09-07 | N/A | 9.8 CRITICAL |
| Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php | |||||
| CVE-2024-5008 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE usingĀ Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController. | |||||
| CVE-2024-31680 | 2024-09-06 | N/A | 8.8 HIGH | ||
| File Upload vulnerability in Shibang Communications Co., Ltd. IP network intercom broadcasting system v.1.0 allows a local attacker to execute arbitrary code via the my_parser.php component. | |||||
| CVE-2024-8164 | 1 Beikeshop | 1 Beikeshop | 2024-09-06 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. Affected by this issue is the function rename of the file /Admin/Http/Controllers/FileManagerController.php. The manipulation of the argument new_name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-31777 | 2024-09-06 | N/A | 9.8 CRITICAL | ||
| File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint. | |||||
| CVE-2024-7694 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2024-09-06 | N/A | 7.2 HIGH |
| ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server. | |||||
| CVE-2024-6280 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-09-06 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/ajax.php?action=save_settings. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269493 was assigned to this vulnerability. | |||||
| CVE-2024-45076 | 1 Ibm | 1 Webmethods Integration | 2024-09-06 | N/A | 9.9 CRITICAL |
| IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system. | |||||
| CVE-2024-43249 | 1 Bitapps | 1 Bit Form | 2024-09-06 | N/A | 8.8 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4. | |||||
| CVE-2024-45171 | 2024-09-05 | N/A | 8.8 HIGH | ||
| An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to upload dangerous files, for instance PHP code, to the C-MOR system. By analyzing the C-MOR web interface, it was found out that the upload functionality for backup files allows an authenticated user to upload arbitrary files. The only condition is that the filename contains a .cbkf string. Therefore, webshell.cbkf.php is considered a valid file name for the C-MOR web application. Uploaded files are stored within the directory "/srv/www/backups" on the C-MOR system, and can thus be accessed via the URL https://<HOST>/backup/upload_<FILENAME>. Due to broken access control, low-privileged authenticated users can also use this file upload functionality. | |||||
| CVE-2024-40645 | 1 Fogproject | 1 Fogproject | 2024-09-05 | N/A | 8.8 HIGH |
| FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41. | |||||
| CVE-2024-6945 | 1 Flute-cms | 1 Flute | 2024-09-05 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067. | |||||
| CVE-2023-41725 | 1 Ivanti | 1 Avalanche | 2024-09-05 | N/A | 7.8 HIGH |
| Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability | |||||
| CVE-2023-33480 | 1 Remoteclinic | 1 Remote Clinic | 2024-09-05 | N/A | 8.8 HIGH |
| RemoteClinic 2.0 contains a critical vulnerability chain that can be exploited by a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. The vulnerabilities are caused by a lack of input validation and access control in the staff/register.php endpoint and the edit-my-profile.php page. By sending a series of specially crafted requests to the RemoteClinic application, an attacker can create admin users with more privileges than their own, upload a PHP file containing arbitrary code, and execute arbitrary commands via the PHP shell. | |||||