Total
2650 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41919 | 1 Webtareas Project | 1 Webtareas | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| webTareas version 2.4 and earlier allows an authenticated user to arbitrarily upload potentially dangerous files without restrictions. This is working by adding or replacing a personal profile picture. The affected endpoint is /includes/upload.php on the HTTP POST data. This allows an attacker to exploit the platform by injecting code or malware and, under certain conditions, to execute code on remote user browsers. | |||||
| CVE-2021-41870 | 1 Socomec | 2 Remote View Pro, Remote View Pro Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the firmware update form in Socomec REMOTE VIEW PRO 2.0.41.4. An authenticated attacker can bypass a client-side file-type check and upload arbitrary .php files. | |||||
| CVE-2021-41833 | 1 Zohocorp | 1 Manageengine Patch Connect Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution. | |||||
| CVE-2021-41745 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions. | |||||
| CVE-2021-41675 | 1 E-negosyo System Project | 1 E-negosyo System | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the doInsert function, which validates images with getImageSizei. . | |||||
| CVE-2021-41646 | 1 Online Reviewer System Project | 1 Online Reviewer System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.. | |||||
| CVE-2021-41645 | 1 Oretnom23 | 1 Budget And Expense Tracker System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. . | |||||
| CVE-2021-41644 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters. | |||||
| CVE-2021-41643 | 1 Church Management System Project | 1 Church Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field. | |||||
| CVE-2021-41566 | 1 Tadtools Project | 1 Tadtools | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The file extension of the TadTools file upload function fails to filter, thus remote attackers can upload any types of files and execute arbitrary code without logging in. | |||||
| CVE-2021-41560 | 1 Opencats | 1 Opencats | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php. | |||||
| CVE-2021-41550 | 1 Leostream | 1 Connection Broker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code. | |||||
| CVE-2021-41421 | 1 Maianmedia | 1 Maianaffiliate | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A PHP code injection vulnerability in MaianAffiliate v.1.0 allows an authenticated attacker to gain RCE through the MaianAffiliate admin panel. | |||||
| CVE-2021-41231 | 1 Openmage | 1 Magento | 2024-11-21 | N/A | 7.2 HIGH |
| OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue. | |||||
| CVE-2021-41178 | 1 Nextcloud | 1 Server | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-40954 | 1 Laiketui | 1 Laiketui | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Laiketui 3.5.0 is affected by an arbitrary file upload vulnerability that can allow an attacker to execute arbitrary code. | |||||
| CVE-2021-40940 | 1 Monstra | 1 Monstra | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability. | |||||
| CVE-2021-40905 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner | |||||
| CVE-2021-40883 | 1 Emlog | 1 Emlog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | |||||
| CVE-2021-40845 | 1 Zenitel | 1 Alphacom Xe Audio Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory. | |||||