Total
2195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-15990 | 1 Savsofteproducts | 1 Phpinventory | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/. | |||||
CVE-2016-6104 | 1 Ibm | 1 Security Key Lifecycle Manager | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute arbitrary code on the vulnerable system. | |||||
CVE-2017-9069 | 1 Modx | 1 Modx Revolution | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess. | |||||
CVE-2017-8080 | 1 Atlassian | 1 Hipchat Server | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads. | |||||
CVE-2017-6104 | 1 Zen Mobile App Native Project | 1 Zen Mobile App Native | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. | |||||
CVE-2016-9268 | 1 Dotclear | 1 Dotclear | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute arbitrary code by uploading a theme file with an zip extension, and then accessing it via unspecified vectors. | |||||
CVE-2017-7357 | 1 Atlassian | 1 Hipchat Server | 2023-12-10 | 6.5 MEDIUM | 9.1 CRITICAL |
Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file. | |||||
CVE-2017-9080 | 1 Playsms | 1 Playsms | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection. | |||||
CVE-2017-7281 | 1 Unitrends | 1 Enterprise Backup | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php allows for an authenticated user to create a randomly named file on disk with a user-controlled extension, contents, and path, leading to remote code execution, aka Unrestricted File Upload. | |||||
CVE-2017-7989 | 1 Joomla | 1 Joomla\! | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden. | |||||
CVE-2016-8921 | 1 Ibm | 1 Filenet Workplace Xt | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
IBM FileNet WorkPlace XT could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. | |||||
CVE-2016-1713 | 1 Vtiger | 1 Vtiger Crm | 2023-12-10 | 8.5 HIGH | 7.3 HIGH |
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. | |||||
CVE-2015-4455 | 1 Aviary Image Editor Add-on For Gravity Forms Project | 1 Aviary Image Editor Add-on For Gravity Forms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary. | |||||
CVE-2015-3884 | 1 Qdpm | 1 Qdpm | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/. | |||||
CVE-2016-7902 | 1 Dotclear | 1 Dotclear | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20. | |||||
CVE-2016-8973 | 1 Ibm | 1 Rational Rhapsody Design Manager | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. IBM Reference #: 1999960. | |||||
CVE-2017-6027 | 1 Codesys | 1 Web Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An Arbitrary File Upload issue was discovered in 3S-Smart Software Solutions GmbH CODESYS Web Server. The following versions of CODESYS Web Server, part of the CODESYS WebVisu web browser visualization software, are affected: CODESYS Web Server Versions 2.3 and prior. A specially crafted web server request may allow the upload of arbitrary files (with a dangerous type) to the CODESYS Web Server without authorization which may allow remote code execution. | |||||
CVE-2017-9101 | 1 Playsms | 1 Playsms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file. | |||||
CVE-2016-6124 | 1 Ibm | 1 Kenexa Lms On Cloud | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. | |||||
CVE-2017-7695 | 1 Bigtreecms | 1 Bigtree Cms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. |