Total
2655 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4130 | 1 Ibm | 1 Cloud Pak System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Cloud Pak System 2.3 and 2.3.0.1 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 158280. | |||||
| CVE-2019-4069 | 1 Ibm | 3 Intelligent Operations Center, Intelligent Operations Center For Emergency Management, Water Operations For Waternamics | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 does not properly validate file types, allowing an attacker to upload malicious content. IBM X-Force ID: 157014. | |||||
| CVE-2019-4056 | 1 Ibm | 10 Control Desk, Maximo Asset Management, Maximo For Aviation and 7 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Maximo Asset Management 7.6 Work Centers' application does not validate file type upon upload, allowing attackers to upload malicious files. IBM X-Force ID: 156565. | |||||
| CVE-2019-4013 | 1 Ibm | 1 Bigfix Platform | 2024-11-21 | 9.0 HIGH | 9.0 CRITICAL |
| IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. IBM X-Force ID: 155887. | |||||
| CVE-2019-3960 | 1 Wallaceit | 1 Wallacepos | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file. | |||||
| CVE-2019-3940 | 1 Advantech | 1 Webaccess | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call. An unauthenticated, remote attacker can use this vulnerability to execute arbitrary code. | |||||
| CVE-2019-3495 | 1 Indionetworks | 2 Unibox, Unibox Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials. | |||||
| CVE-2019-3489 | 1 Microfocus | 1 Content Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An unauthenticated file upload vulnerability has been identified in the Web Client component of Micro Focus Content Manager 9.1, 9.2, and 9.3 when configured to use the ADFS authentication method. The vulnerability could be exploited by an unauthenticated remote attacker to upload content to arbitrary locations on the Content Manager server. | |||||
| CVE-2019-25138 | 1 Plugin-planet | 1 User Submitted Posts | 2024-11-21 | N/A | 9.8 CRITICAL |
| The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | |||||
| CVE-2019-20897 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1. | |||||
| CVE-2019-20451 | 1 Samsung | 2 Prismview Player 11, Prismview System 9 | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 13.09.1100 allows remote code execution by uploading RebootSystem.lnk and requesting /REBOOTSYSTEM or /RESTARTVNC. (Authentication is required but an XML file containing credentials can be downloaded.) | |||||
| CVE-2019-20385 | 1 Logaritmo | 1 Aware Callmanager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/* content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI. | |||||
| CVE-2019-20183 | 1 Employee Records System Project | 1 Employee Records System | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension. | |||||
| CVE-2019-20048 | 1 Al-enterprise | 1 Omnivista 8770 | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM. | |||||
| CVE-2019-1888 | 1 Cisco | 2 Unified Contact Center Express, Unified Ip Interactive Voice Response | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root. | |||||
| CVE-2019-1861 | 1 Cisco | 1 Industrial Network Director | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. | |||||
| CVE-2019-1443 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server.An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.The security update addresses the vulnerability by correcting how SharePoint checks file content., aka 'Microsoft SharePoint Information Disclosure Vulnerability'. | |||||
| CVE-2019-19925 | 8 Debian, Netapp, Opensuse and 5 more | 12 Debian Linux, Cloud Backup, Backports Sle and 9 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. | |||||
| CVE-2019-19745 | 1 Contao | 1 Contao | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server. | |||||
| CVE-2019-19684 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | |||||