Total
2655 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11815 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | |||||
| CVE-2020-11811 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbitrary command on the server using this malicious file. | |||||
| CVE-2020-11807 | 1 Sourcefabric | 1 Newscoop | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by making an avatar update and then visiting the avatar file under the /images/ path. | |||||
| CVE-2020-11722 | 1 Dungeon Crawl Stone Soup Project | 1 Dungeon Crawl Stone Soup | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file. | |||||
| CVE-2020-11598 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file. | |||||
| CVE-2020-11544 | 1 Projectworlds | 1 Official Car Rental System | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via add_cars.php. There are no upload restrictions for executable files. | |||||
| CVE-2020-11486 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution. | |||||
| CVE-2020-11476 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. | |||||
| CVE-2020-11451 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges. | |||||
| CVE-2020-11108 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh. | |||||
| CVE-2020-11011 | 1 Phproject | 1 Phproject | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| In Phproject before version 1.7.8, there's a vulnerability which allows users with access to file uploads to execute arbitrary code. This is patched in version 1.7.8. | |||||
| CVE-2020-10964 | 2 Microsoft, S9y | 2 Windows, Serendipity | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename. | |||||
| CVE-2020-10963 | 1 Frozennode | 1 Laravel-administrator | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued. | |||||
| CVE-2020-10934 | 1 Acyba | 1 Acymailing | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. | |||||
| CVE-2020-10806 | 1 Ez | 2 Ez Publish-kernel, Ez Publish-legacy | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution. | |||||
| CVE-2020-10682 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and contain PHP code (it need not be a valid JPEG file). | |||||
| CVE-2020-10621 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2). | |||||
| CVE-2020-10569 | 1 Sysaid | 1 On-premise | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack. Additionally, it allows unauthenticated access to upload files, which can be used to execute commands on the system by chaining it with a GhostCat attack. NOTE: This may be a duplicate of CVE-2020-1938 | |||||
| CVE-2020-10562 | 1 Devome | 1 Grr | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in DEVOME GRR before 3.4.1c. admin_edit_room.php mishandles file uploads. | |||||
| CVE-2020-10557 | 1 Atutor | 1 Acontent | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in AContent through 1.4. It allows the user to run commands on the server with a low-privileged account. The upload section in the file manager page contains an arbitrary file upload vulnerability via upload.php. The extension .php7 bypasses file upload restrictions. | |||||