Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25495 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The component /jquery_file_upload/server/php/index.php of CuppaCMS v1.0 allows attackers to upload arbitrary files and execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-25487 | 1 Thedigitalcraft | 1 Atomcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
|
|||||
| CVE-2022-25411 | 1 Max-3000 | 1 Maxsite Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Code Execution (RCE) vulnerability at /admin/options in Maxsite CMS v180 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-25360 | 1 Watchguard | 1 Fireware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
|
|||||
| CVE-2022-25115 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
A remote code execution (RCE) vulnerability in the Avatar parameter under /admin/?page=user/manage_user of Home Owners Collection Management System v1.0 allows attackers to execute arbitrary code via a crafted PNG file.
|
|||||
| CVE-2022-25016 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Home Owners Collection Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /student_attendance/index.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-24984 | 1 Jqueryform | 1 Jqueryform | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauthenticated attackers to upload executable files and achieve remote code execution. This occurs because file-extension checks occur on the client side, and because not all executable content (e.g., .phtml or .php.bak) is blocked.
|
|||||
| CVE-2022-24837 | 1 Hedgedoc | 1 Hedgedoc | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to ...
Show More |
|||||
| CVE-2022-24749 | 1 Sylius | 1 Sylius | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-uplo ...
Show More |
|||||
| CVE-2022-24688 | 1 Dsk | 1 Dsknet | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copie ...
Show More |
|||||
| CVE-2022-24676 | 1 Hyphp | 1 Hybbs2 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive.
|
|||||
| CVE-2022-24652 | 1 Sentcms | 1 Sentcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.
|
|||||
| CVE-2022-24651 | 1 Sentcms | 1 Sentcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload.
|
|||||
| CVE-2022-24581 | 1 Aceware | 1 Aceweb Online Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software.
|
|||||
| CVE-2022-24553 | 1 Zfaka Project | 1 Zfaka | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.
|
|||||
| CVE-2022-24387 | 1 Smartertools | 1 Smartertrack | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
|
With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010
|
|||||
| CVE-2022-24262 | 1 Voipmonitor | 1 Voipmonitor | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.
|
|||||
| CVE-2022-24254 | 1 Extensis | 1 Portfolio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An unrestricted file upload vulnerability in the Backup/Restore Archive component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted ZIP file.
|
|||||
| CVE-2022-24253 | 1 Extensis | 1 Portfolio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the component AdminFileTransferServlet.
|
|||||
| CVE-2022-24252 | 1 Extensis | 1 Portfolio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An unrestricted file upload vulnerability in the FileTransferServlet component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted file.
|
|||||
| CVE-2022-24251 | 1 Extensis | 1 Portfolio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the Catalog Asset Upload function.
|
|||||
| CVE-2022-24239 | 1 Aceware | 1 Aceweb Online Portal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp.
|
|||||
| CVE-2022-24136 | 1 Hospital Management System Project | 1 Hospital Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. To exploit, an attacker can upload any PHP file, and then execute it.
|
|||||
| CVE-2022-23906 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
|
|||||
| CVE-2022-23880 | 1 Taogogo | 1 Taocms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the File Management function module of taoCMS v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file.
|
|||||
| CVE-2022-23390 | 1 Diyhi | 1 Bbs Forum | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files.
|
|||||
| CVE-2022-23375 | 1 Wikidocs | 1 Wikidocs | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability. An attacker can upload a malicious file using the image upload form through index.php.
|
|||||
| CVE-2022-23346 | 1 Bigantsoft | 1 Bigant Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues.
|
|||||
| CVE-2022-23329 | 1 Ujcms | 1 Jspxcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability in ${"freemarker.template.utility.Execute"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files.
|
|||||
| CVE-2022-23315 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.
|
|||||
| CVE-2022-23155 | 1 Dell | 1 Wyse Management Suite | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system.
|
|||||
| CVE-2022-23048 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.
|
|||||
| CVE-2022-23043 | 1 Tribalsystems | 1 Zenario | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server.
|
|||||
| CVE-2022-23026 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Acceleration Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2022-22952 | 2 Microsoft, Vmware | 2 Windows, Carbon Black App Control | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
|
VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file.
|
|||||
| CVE-2022-22929 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file.
|
|||||
| CVE-2022-22482 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow an authenticated user to upload files that could fill up the filesystem and cause a denial of service. IBM X-Force ID: 225977.
|
|||||
| CVE-2022-22450 | 2 Ibm, Linux | 2 Security Verify Governance, Linux Kernel | 2024-11-21 | N/A | 3.8 LOW |
|
IBM Security Verify Identity Manager 10.0 could allow a privileged user to upload a malicious file by bypassing extension security in an HTTP request. IBM X-Force ID: 224916.
|
|||||
| CVE-2022-22392 | 1 Ibm | 1 Planning Analytics Workspace | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
IBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 222066.
|
|||||
| CVE-2022-22375 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-11-21 | N/A | 7.2 HIGH |
|
IBM Security Verify Privilege On-Premises 11.5 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 221681.
|
|||||