Total
2604 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-7384 | 1 Acymailing | 1 Acymailing | 2024-09-27 | N/A | 8.8 HIGH |
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2023-40784 | 1 Dedecms | 1 Dedecms | 2024-09-26 | N/A | 9.8 CRITICAL |
DedeCMS 5.7.102 has a File Upload vulnerability via uploads/dede/module_make.php. | |||||
CVE-2024-7770 | 1 Bitapps | 1 File Manager | 2024-09-26 | N/A | 8.8 HIGH |
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2024-46101 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
GDidees CMS <= v3.9.1 has a file upload vulnerability. | |||||
CVE-2024-9036 | 2024-09-26 | 6.5 MEDIUM | 6.3 MEDIUM | ||
A vulnerability was found in itsourcecode Online Bookstore 1.0. It has been rated as critical. This issue affects some unknown processing of the file admin_add.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2023-26686 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop. | |||||
CVE-2023-26690 | 2024-09-26 | N/A | 8.8 HIGH | ||
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File Manager/Editor component in the vendor or admin menu. | |||||
CVE-2024-45398 | 1 Contao | 1 Contao | 2024-09-25 | N/A | 8.8 HIGH |
Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory. | |||||
CVE-2024-8338 | 1 Hfo4 | 1 Shudong-share | 2024-09-25 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability was found in HFO4 shudong-share 2.4.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /includes/fileReceive.php of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
CVE-2024-40125 | 1 Closed-loop | 1 Cless Server | 2024-09-25 | N/A | 9.8 CRITICAL |
An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint. | |||||
CVE-2023-43619 | 1 Schollz | 1 Croc | 2024-09-25 | N/A | 7.8 HIGH |
An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file. | |||||
CVE-2023-38887 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-09-25 | N/A | 8.8 HIGH |
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. | |||||
CVE-2023-43226 | 1 Dedecms | 1 Dedecms | 2024-09-23 | N/A | 8.8 HIGH |
An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
CVE-2024-6948 | 1 Gargaj | 1 Wuhu | 2024-09-20 | 6.5 MEDIUM | 9.8 CRITICAL |
A vulnerability classified as critical has been found in Gargaj wuhu up to 3faad49bfcc3895e9ff76a591d05c8941273d120. Affected is an unknown function of the file /slideeditor.php of the component Slide Editor. The manipulation of the argument newSlideFile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. VDB-272070 is the identifier assigned to this vulnerability. | |||||
CVE-2024-46377 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php. | |||||
CVE-2024-46373 | 2024-09-20 | N/A | 8.8 HIGH | ||
Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend. | |||||
CVE-2024-2381 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2024-09-20 | N/A | 8.8 HIGH |
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2023-43269 | 1 Pigcms | 1 Pigcms | 2024-09-19 | N/A | 9.8 CRITICAL |
pigcms up to 7.0 was discovered to contain an arbitrary file upload vulnerability. | |||||
CVE-2024-27115 | 1 Soplanning | 1 Soplanning | 2024-09-18 | N/A | 9.8 CRITICAL |
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02. | |||||
CVE-2024-8242 | 1 Inspireui | 1 Mstore Api | 2024-09-18 | N/A | 8.8 HIGH |
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue. |