Total
2654 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9423 | 1 Logicaldoc | 1 Logicaldoc | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database. LogicalDoc provides a functionality to add documents. Those documents could then be used for multiple tasks, such as version control, shared among users, applying tags, etc. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file in a restricted folder. This would lead to the executions of malicious commands with root privileges. | |||||
| CVE-2020-9380 | 1 Whmcssmarters | 1 Web Tv Player | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script. | |||||
| CVE-2020-9320 | 1 Avira | 8 Anti-malware Sdk, Antivirus Server, Avira Antivirus For Endpoint and 5 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK. NOTE: Vendor asserts that vulnerability does not exist in product | |||||
| CVE-2020-9309 | 1 Silverstripe | 2 Mimevalidator, Recipe | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected. | |||||
| CVE-2020-9280 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x. | |||||
| CVE-2020-8974 | 1 Zigor | 2 Zgr Tps200 Ng, Zgr Tps200 Ng Firmware | 2024-11-21 | N/A | 10.0 CRITICAL |
| In ZGR TPS200 NG 2.00 firmware version and 1.01 hardware version, the firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable. | |||||
| CVE-2020-8866 | 2 Debian, Horde | 3 Debian Linux, Groupware, Horde Form | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125. | |||||
| CVE-2020-8639 | 1 Testlink | 1 Testlink | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application. | |||||
| CVE-2020-8511 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. | |||||
| CVE-2020-8500 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality | |||||
| CVE-2020-8440 | 1 Simplejobscript | 1 Simplejobscript | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume. | |||||
| CVE-2020-8260 | 1 Pulsesecure | 1 Pulse Secure Desktop Client | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | |||||
| CVE-2020-8181 | 1 Nextcloud | 1 Contacts | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | |||||
| CVE-2020-8162 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | |||||
| CVE-2020-7998 | 1 Super File Explorer Project | 1 Super File Explorer | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An arbitrary file upload vulnerability has been discovered in the Super File Explorer app 1.0.1 for iOS. The vulnerability is located in the developer path that is accessible and hidden next to the root path. By default, there is no password set for the FTP or Web UI service. | |||||
| CVE-2020-7935 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access. | |||||
| CVE-2020-7864 | 1 Dext5 | 1 Dext5 Editor | 2024-11-21 | 7.5 HIGH | 7.8 HIGH |
| Parameter manipulation can bypass authentication to cause file upload and execution. This will execute the remote code. This issue affects: Raonwiz DEXT5Editor versions prior to 3.5.1405747.1100.03. | |||||
| CVE-2020-7847 | 1 Iptime | 18 Nas-i, Nas-i Firmware, Nas-ii and 15 more | 2024-11-21 | 5.2 MEDIUM | 7.4 HIGH |
| The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36. | |||||
| CVE-2020-7569 | 1 Schneider-electric | 1 Webreports | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution. | |||||
| CVE-2020-7302 | 1 Mcafee | 1 Data Loss Prevention | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Unrestricted Upload of File with Dangerous Type in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to upload malicious files to the DLP case management section via lack of sanity checking. | |||||