Total
2653 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27274 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12124. | |||||
| CVE-2021-27198 | 1 Visualware | 1 Myconnection Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system. | |||||
| CVE-2021-26918 | 1 Probot | 1 Bot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side. | |||||
| CVE-2021-26828 | 1 Openplcproject | 1 Scadabr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. | |||||
| CVE-2021-26809 | 1 Phpgurukul | 1 Car Rental Portal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PHPGurukul Car Rental Project version 2.0 suffers from a remote shell upload vulnerability in changeimage1.php. | |||||
| CVE-2021-26794 | 1 Frogcms Project | 1 Frogcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Privilege escalation in 'upload.php' in FrogCMS SentCMS v0.9.5 allows attacker to execute arbitrary code via crafted php file. | |||||
| CVE-2021-26740 | 1 Doyocms Project | 1 Doyocms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability sysupload.php in millken doyocms 2.3 allows attackers to execute arbitrary code. | |||||
| CVE-2021-26642 | 2 Microsoft, Xpressengine | 2 Windows, Xpressengine | 2024-11-21 | N/A | 8.8 HIGH |
| When uploading an image file to a bulletin board developed with XpressEngine, a vulnerability in which an arbitrary file can be uploaded due to insufficient verification of the file. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bulletin board is running. | |||||
| CVE-2021-26634 | 2 Linux, Maxb | 2 Linux Kernel, Maxboard | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code execution or privilege escalation. Attackers can use these vulnerabilities to perform attacks such as stealing server management rights using a web shell. | |||||
| CVE-2021-26597 | 1 Nokia | 1 Netact | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. | |||||
| CVE-2021-26473 | 1 Vembu | 2 Bdr Suite, Offsite Dr | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server. | |||||
| CVE-2021-25780 | 1 Baby Care System Project | 1 Baby Care System | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An arbitrary file upload vulnerability has been identified in posts.php in Baby Care System 1.0. The vulnerability could be exploited by an remote attacker to upload content to the server, including PHP files, which could result in command execution and obtaining a shell. | |||||
| CVE-2021-25211 | 1 Online Ordering System Project | 1 Online Ordering System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in SourceCodester Ordering System v 1.0 allows attackers to execute arbitrary code, via the file upload to ordering\admin\products\edit.php. | |||||
| CVE-2021-25210 | 1 Alumni Management System Project | 1 Alumni Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in SourceCodester Alumni Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to manage_event.php. | |||||
| CVE-2021-25208 | 1 Travel Management System Project | 1 Travel Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in SourceCodester Travel Management System v 1.0 allows attackers to execute arbitrary code via the file upload to updatepackage.php. | |||||
| CVE-2021-25207 | 1 E-commerce Website Project | 1 E-commerce Website | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary code via the file upload to prodViewUpdate.php. | |||||
| CVE-2021-25206 | 1 Responsive Ordering System Project | 1 Responsive Ordering System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in SourceCodester Responsive Ordering System v 1.0 allows attackers to execute arbitrary code via the file upload to Product_model.php. | |||||
| CVE-2021-25203 | 1 Victor Cms Project | 1 Victor Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in Victor CMS v 1.0 allows attackers to execute arbitrary code via the file upload to \CMSsite-master\admin\includes\admin_add_post.php. | |||||
| CVE-2021-25200 | 1 Learning Management System Project | 1 Learning Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload vulnerability in SourceCodester Learning Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to \lms\student_avatar.php. | |||||
| CVE-2021-25119 | 1 Wpsocket | 1 Automatic Grid Image Listing | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE | |||||