Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4225 | 2 Microsoft, Smartypantsplugins | 2 Windows, Sp Project \& Document Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.
|
|||||
| CVE-2021-4096 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.
|
|||||
| CVE-2021-4080 | 1 Craterapp | 1 Crater | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
crater is vulnerable to Unrestricted Upload of File with Dangerous Type
|
|||||
| CVE-2021-46428 | 1 Simple Chatbot Application Project | 1 Simple Chatbot Application | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 ( and previous versions via the bot_avatar parameter in SystemSettings.php.
|
|||||
| CVE-2021-46386 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.
|
|||||
| CVE-2021-46367 | 1 Ritecms | 1 Ritecms | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.
|
|||||
| CVE-2021-46360 | 1 Ocproducts | 1 Composr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
|
|||||
| CVE-2021-46116 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code.
|
|||||
| CVE-2021-46115 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile. The admin panel provides a function through which attackers can upload templates and inject some malicious code.
|
|||||
| CVE-2021-46113 | 1 Kea-hotel-erp Project | 1 Kea-hotel-erp | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service.
|
|||||
| CVE-2021-46097 | 1 Dolphinphp | 1 Dolphinphp | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log
|
|||||
| CVE-2021-46079 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.
|
|||||
| CVE-2021-46078 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.
|
|||||
| CVE-2021-46076 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
|
|||||
| CVE-2021-46036 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.
|
|||||
| CVE-2021-46033 | 1 Forestblog Project | 1 Forestblog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In ForestBlog, as of 2021-12-28, File upload can bypass verification.
|
|||||
| CVE-2021-46013 | 1 Free School Management Software Project | 1 Free School Management Software | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. An attacker can leverage this vulnerability to enable remote code execution on the affected web server. Once a php webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is saved into /uploads/exam_question/ directory, and is accessible by all users.
|
|||||
| CVE-2021-45982 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
NetScout nGeniusONE 6.3.2 allows Arbitrary File Upload by a privileged user.
|
|||||
| CVE-2021-45865 | 1 Student Attendance Management System Project | 1 Student Attendance Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality.
|
|||||
| CVE-2021-45835 | 1 Online Admission System Project | 1 Online Admissions System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Online Admission System 1.0 allows an unauthenticated attacker to upload or transfer files of dangerous types to the application through documents.php, which may be used to execute malicious code or lead to code execution.
|
|||||
| CVE-2021-45834 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution.
|
|||||
| CVE-2021-45808 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.
|
|||||
| CVE-2021-45790 | 1 Metersphere | 1 Metersphere | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.
|
|||||
| CVE-2021-45411 | 1 Printable Staff Id Card Creator System Project | 1 Printable Staff Id Card Creator System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
|
|||||
| CVE-2021-45040 | 1 Spatie | 1 Laravel Media Library | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.
|
|||||
| CVE-2021-44673 | 1 Croogo | 1 Croogo | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.
|
|||||
| CVE-2021-44664 | 1 Xerte | 1 Xerte | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the 'mediapath' variable.
|
|||||
| CVE-2021-44651 | 1 Zohocorp | 2 Log360, Manageengine Cloud Security Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
|
|||||
| CVE-2021-44426 | 1 Anydesk | 1 Anydesk | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5. An upload of an arbitrary file to a victim's local ~/Downloads/ directory is possible if the victim is using the AnyDesk Windows client to connect to a remote machine, if an attacker is also connected remotely with AnyDesk to the same remote machine. The upload is done without any approval or action taken by the victim.
|
|||||
| CVE-2021-44164 | 1 Chinasea | 1 Qb Smart Service Robot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service.
|
|||||
| CVE-2021-44159 | 1 4mosan | 1 Gcb Doctor | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or deny of service attack.
|
|||||
| CVE-2021-44123 | 1 Spip | 1 Spip | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.
|
|||||
| CVE-2021-44094 | 1 Zrlog | 1 Zrlog | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
|
|||||
| CVE-2021-44093 | 1 Zrlog | 1 Zrlog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
|
|||||
| CVE-2021-44031 | 1 Quest | 1 Kace Desktop Authority | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx contains a vulnerability that could allow pre-authentication remote code execution. An attacker could upload a .ASP file to reside at /images/{GUID}/{filename}.
|
|||||
| CVE-2021-43973 | 1 Sysaid | 1 Sysaid | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, server-side filesystem path of the uploaded file.
|
|||||
| CVE-2021-43970 | 1 Quicklert | 1 Quicklert | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
An arbitrary file upload vulnerability exists in albumimages.jsp in Quicklert for Digium 10.0.0 (1043) via a .mp3;.jsp filename for a file that begins with audio data bytes. It allows an authenticated (low privileged) attacker to execute remote code on the target server within the context of application's permissions (SYSTEM).
|
|||||
| CVE-2021-43936 | 1 Webhmi | 2 Webhmi, Webhmi Firmware | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
|
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
|
|||||
| CVE-2021-43934 | 1 Smartptt | 1 Smartptt Scada | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files.
|
|||||
| CVE-2021-43829 | 1 Patrowl | 1 Patrowlmanager | 2024-11-21 | 6.5 MEDIUM | 7.4 HIGH |
|
PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangerous type of file to server leading to XSS attacks and potentially other forms of code injection. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds for this issue.
|
|||||