Vulnerabilities (CVE)

Filtered by CWE-434
Total 2604 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-7384 1 Acymailing 1 Acymailing 2024-09-27 N/A 8.8 HIGH
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2023-40784 1 Dedecms 1 Dedecms 2024-09-26 N/A 9.8 CRITICAL
DedeCMS 5.7.102 has a File Upload vulnerability via uploads/dede/module_make.php.
CVE-2024-7770 1 Bitapps 1 File Manager 2024-09-26 N/A 8.8 HIGH
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-46101 2024-09-26 N/A 9.8 CRITICAL
GDidees CMS <= v3.9.1 has a file upload vulnerability.
CVE-2024-9036 2024-09-26 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in itsourcecode Online Bookstore 1.0. It has been rated as critical. This issue affects some unknown processing of the file admin_add.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-26686 2024-09-26 N/A 9.8 CRITICAL
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
CVE-2023-26690 2024-09-26 N/A 8.8 HIGH
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File Manager/Editor component in the vendor or admin menu.
CVE-2024-45398 1 Contao 1 Contao 2024-09-25 N/A 8.8 HIGH
Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.
CVE-2024-8338 1 Hfo4 1 Shudong-share 2024-09-25 6.5 MEDIUM 8.8 HIGH
A vulnerability was found in HFO4 shudong-share 2.4.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /includes/fileReceive.php of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2024-40125 1 Closed-loop 1 Cless Server 2024-09-25 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint.
CVE-2023-43619 1 Schollz 1 Croc 2024-09-25 N/A 7.8 HIGH
An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.
CVE-2023-38887 1 Dolibarr 1 Dolibarr Erp\/crm 2024-09-25 N/A 8.8 HIGH
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
CVE-2023-43226 1 Dedecms 1 Dedecms 2024-09-23 N/A 8.8 HIGH
An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2024-6948 1 Gargaj 1 Wuhu 2024-09-20 6.5 MEDIUM 9.8 CRITICAL
A vulnerability classified as critical has been found in Gargaj wuhu up to 3faad49bfcc3895e9ff76a591d05c8941273d120. Affected is an unknown function of the file /slideeditor.php of the component Slide Editor. The manipulation of the argument newSlideFile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. VDB-272070 is the identifier assigned to this vulnerability.
CVE-2024-46377 2024-09-20 N/A 9.8 CRITICAL
Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php.
CVE-2024-46373 2024-09-20 N/A 8.8 HIGH
Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend.
CVE-2024-2381 1 Ali2woo 1 Aliexpress Dropshipping With Alinext 2024-09-20 N/A 8.8 HIGH
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2023-43269 1 Pigcms 1 Pigcms 2024-09-19 N/A 9.8 CRITICAL
pigcms up to 7.0 was discovered to contain an arbitrary file upload vulnerability.
CVE-2024-27115 1 Soplanning 1 Soplanning 2024-09-18 N/A 9.8 CRITICAL
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
CVE-2024-8242 1 Inspireui 1 Mstore Api 2024-09-18 N/A 8.8 HIGH
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.