Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6110 | 1 Janobe | 1 Magbanua Beach Resort Online Reservation System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in itsourcecode Magbanua Beach Resort Online Reservation System up to 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file controller.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268856.
|
|||||
| CVE-2024-6084 | 1 Janobe | 1 Pool Of Bethesda Online Reservation System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability has been found in itsourcecode Pool of Bethesda Online Reservation System up to 1.0 and classified as critical. Affected by this vulnerability is the function uploadImage of the file /admin/mod_room/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268825 was assigned to this vulnerability.
|
|||||
| CVE-2024-6083 | 1 Phpvibe | 1 Phpvibe | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, was found in PHPVibe 11.0.46. Affected is an unknown function of the file /app/uploading/upload-mp3.php of the component Media Upload Page. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268824. NOTE: The vendor was contacted early about this disclosure but did not respond in ...
Show More |
|||||
| CVE-2024-6054 | 1 Auto-featured-image Project | 1 Auto-featured-image | 2024-11-21 | N/A | 8.8 HIGH |
|
The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-5745 | 1 Bakery Online Ordering System Project | 1 Bakery Online Ordering System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-267414 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-5734 | 1 Online Discussion Forum Project | 1 Online Discussion Forum | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-267408.
|
|||||
| CVE-2024-5630 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2024-11-21 | N/A | 8.8 HIGH |
|
The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
|
|||||
| CVE-2024-5441 | 1 Webnus | 2 Modern Events Calendar, Modern Events Calendar Lite | 2024-11-21 | N/A | 8.8 HIGH |
|
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthentica ...
Show More |
|||||
| CVE-2024-5050 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability, which was classified as critical, was found in Wangshen SecGate 3600 up to 20240516. This affects an unknown part of the file /?g=log_import_save. The manipulation of the argument reqfile leads to unrestricted upload. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-264747.
|
|||||
| CVE-2024-5049 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in Codezips E-Commerce Site 1.0. Affected by this issue is some unknown functionality of the file admin/editproduct.php. The manipulation of the argument profilepic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-264746 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-5008 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 8.8 HIGH |
|
In WhatsUp Gold versions released before 2023.1.3,
an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.
|
|||||
| CVE-2024-4923 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability has been found in Codezips E-Commerce Site 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/addproduct.php. The manipulation of the argument profilepic leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264460.
|
|||||
| CVE-2024-4904 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was found in Byzoro Smart S200 Management Platform up to 20240507. It has been rated as critical. This issue affects some unknown processing of the file /useratte/userattestation.php. The manipulation of the argument web_img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264437 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did ...
Show More |
|||||
| CVE-2024-49314 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in 酱茄 JiangQie Free Mini Program allows Upload a Web Shell to a Web Server.This issue affects JiangQie Free Mini Program: from n/a through 2.5.2.
|
|||||
| CVE-2024-42054 | 1 Cervantessec | 1 Cervantes | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cervantes through 0.5-alpha accepts insecure file uploads.
|
|||||
| CVE-2024-40551 | 1 Publiccms | 1 Publiccms | 2024-11-21 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-40550 | 1 Publiccms | 1 Publiccms | 2024-11-21 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-40548 | 1 Publiccms | 1 Publiccms | 2024-11-21 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-40546 | 1 Publiccms | 1 Publiccms | 2024-11-21 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-40545 | 1 Publiccms | 1 Publiccms | 2024-11-21 | N/A | 8.8 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-40318 | 1 Webkul | 1 Qloapps | 2024-11-21 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-3912 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the device.
|
|||||
| CVE-2024-3804 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in Vesystem Cloud Desktop up to 20240408. This issue affects some unknown processing of the file /Public/webuploader/0.1.5/server/fileupload2.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosur ...
Show More |
|||||
| CVE-2024-3803 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability classified as critical was found in Vesystem Cloud Desktop up to 20240408. This vulnerability affects unknown code of the file /Public/webuploader/0.1.5/server/fileupload.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260776. NOTE: The vendor was contacted early about this disclosure but did not respond in any wa ...
Show More |
|||||
| CVE-2024-3521 | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability was found in Byzoro Smart S80 Management Platform up to 20240317. It has been rated as critical. Affected by this issue is some unknown functionality of the file /useratte/userattestation.php. The manipulation of the argument web_img leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259892. NOTE: The vendor was contacted early about this disclosure but did no ...
Show More |
|||||
| CVE-2024-3444 | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability was found in Wangshen SecGate 3600 up to 20240408. It has been classified as critical. This affects an unknown part of the file /?g=net_pro_keyword_import_save. The manipulation of the argument reqfile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259701 was assigned to this vulnerability.
|
|||||
| CVE-2024-3123 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
CHANGING Mobile One Time Password's uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system commands.
|
|||||
| CVE-2024-3112 | 1 Bestwebsoft | 1 Quotes And Tips | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The Quotes and Tips by BestWebSoft WordPress plugin before 1.45 does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
|
|||||
| CVE-2024-39865 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | N/A | 8.8 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution.
|
|||||
| CVE-2024-38736 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Realtyna Realtyna Organic IDX plugin allows Code Injection.This issue affects Realtyna Organic IDX plugin: from n/a through 4.14.13.
|
|||||
| CVE-2024-38734 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in SpreadsheetConverter Import Spreadsheets from Microsoft Excel allows Code Injection.This issue affects Import Spreadsheets from Microsoft Excel: from n/a through 10.1.4.
|
|||||
| CVE-2024-37555 | 1 Zealousweb | 1 Generate Pdf Using Contact Form 7 | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7.This issue affects Generate PDF using Contact Form 7: from n/a through 4.0.6.
|
|||||
| CVE-2024-37424 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server.This issue affects Newspack Blocks: from n/a through 3.0.8.
|
|||||
| CVE-2024-37420 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server.This issue affects Zita Elementor Site Library: from n/a through 1.6.1.
|
|||||
| CVE-2024-37273 | 1 Homebrew | 1 Jan | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-36987 | 1 Splunk | 2 Cloud, Splunk | 2024-11-21 | N/A | 4.3 MEDIUM |
|
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.
|
|||||
| CVE-2024-36858 | 1 Homebrew | 1 Jan | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-36774 | 1 Monstra | 1 Monstra | 2024-11-21 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file.
|
|||||
| CVE-2024-36415 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 9.1 CRITICAL |
|
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
|
|||||
| CVE-2024-36396 | 1 Verint | 1 Workforce Optimization | 2024-11-21 | N/A | 8.8 HIGH |
|
Verint - CWE-434: Unrestricted Upload of File with Dangerous Type
|
|||||