Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-15033 | 1 Delete All Comments Project | 1 Delete All Comments | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the delete-all-comments.php file in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
|
|||||
| CVE-2016-11020 | 1 Kunena | 1 Kunena | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
|
|||||
| CVE-2016-10995 | 1 Templatic | 1 Telvolution | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Tevolution plugin before 2.3.0 for WordPress has arbitrary file upload via single_upload.php or single-upload.php.
|
|||||
| CVE-2016-10959 | 1 Estatik | 1 Estatik | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.
|
|||||
| CVE-2016-10958 | 1 Estatik | 1 Estatik | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The estatik plugin before 2.3.0 for WordPress has unauthenticated arbitrary file upload via es_media_images[] to wp-admin/admin-ajax.php.
|
|||||
| CVE-2016-10955 | 1 Cysteme | 1 Cysteme-finder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking.
|
|||||
| CVE-2016-10954 | 1 Dynamicpress | 1 Neosense | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.
|
|||||
| CVE-2016-10758 | 1 Phpkit | 1 Phpkit | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter.
|
|||||
| CVE-2016-10752 | 1 S9y | 1 Serendipity | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.
|
|||||
| CVE-2016-10751 | 1 Osclass | 1 Osclass | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload.
|
|||||
| CVE-2016-10258 | 1 Broadcom | 2 Advanced Secure Gateway, Symantec Proxysg | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
|
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
|
|||||
| CVE-2016-10036 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file.
|
|||||
| CVE-2015-9499 | 1 Themepunch | 1 Showbiz Pro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
|
|||||
| CVE-2015-9479 | 1 Advancedcustomfields | 1 Acf Fronted Display | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php.
|
|||||
| CVE-2015-9471 | 1 Digitalzoomstudio | 1 Zoomsounds | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The dzs-zoomsounds plugin through 2.0 for WordPress has admin/upload.php arbitrary file upload.
|
|||||
| CVE-2015-9402 | 1 Usersultra | 1 Users Ultra Membership | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs-form-conf arbitrary file upload.
|
|||||
| CVE-2015-9341 | 1 Iptanus | 1 Wordpress File Upload | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The wp-file-upload plugin before 3.4.1 for WordPress has insufficient restrictions on upload of .php.js files.
|
|||||
| CVE-2015-9340 | 1 Iptanus | 1 Wordpress File Upload | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The wp-file-upload plugin before 3.0.0 for WordPress has insufficient restrictions on upload of php, js, pht, php3, php4, php5, phtml, htm, html, and htaccess files.
|
|||||
| CVE-2015-9339 | 1 Iptanus | 1 Wordpress File Upload | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The wp-file-upload plugin before 2.7.1 for WordPress has insufficient restrictions on upload of .js files.
|
|||||
| CVE-2015-9338 | 1 Iptanus | 1 Wordpress File Upload | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The wp-file-upload plugin before 2.5.0 for WordPress has insufficient restrictions on upload of .php files.
|
|||||
| CVE-2015-9271 | 1 Videowhisper | 1 Video Conference | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code, a different vulnerability than CVE-2014-1905.
|
|||||
| CVE-2015-9263 | 1 Idera | 1 Uptime Infrastructure Monitor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in post2file.php in Up.Time Monitoring Station 7.5.0 (build 16) and 7.4.0 (build 13). It allows an attacker to upload an arbitrary file, such as a .php file that can execute arbitrary OS commands.
|
|||||
| CVE-2015-9259 | 1 Docker | 1 Notary | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Docker Notary before 0.1, the checkRoot function in gotuf/client/client.go does not check expiry of root.json files, despite a comment stating that it does. Even if a user creates a new root.json file after a key compromise, an attacker can produce update files referring to an old root.json file.
|
|||||
| CVE-2015-7341 | 1 Joobi | 1 Jnews | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
JNews Joomla Component before 8.5.0 allows arbitrary File Upload via Subscribers or Templates, as demonstrated by the .php5 extension.
|
|||||
| CVE-2015-7339 | 1 Widgetfactorylimited | 1 Jce | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a .php file extension for an image file to the /com_jce/editor/libraries/classes/browser.php script.
|
|||||
| CVE-2015-6000 | 1 Vtiger | 1 Vtiger Crm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.
|
|||||
| CVE-2015-5951 | 1 Thomsonreuters | 1 Fatca | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
|
A file upload issue exists in the specid parameter in Thomson Reuters FATCH before 5.2, which allows malicious users to upload arbitrary PHP files to the web root and execute system commands.
|
|||||
| CVE-2015-5601 | 1 Edx | 1 Edx-platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files.
|
|||||
| CVE-2015-4553 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
|
|||||
| CVE-2015-1785 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. The vulnerabilities lie in how the application validates user uploaded files and lack of security measures preventing unwanted HTTP requests.
|
|||||
| CVE-2015-1784 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. The vulnerabilities lie in how the application validates user uploaded files and lack of security measures preventing unwanted HTTP requests.
|
|||||
| CVE-2015-10087 | 1 Upthemes | 1 Designfolio-plus | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in UpThemes Theme DesignFolio Plus 1.2 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 53f6ae62878076f99718e5feb589928e83c879a9. It is recommended to apply a patch to fix this issue. The identifier VDB-22 ...
Show More |
|||||
| CVE-2015-0796 | 1 Opensuse | 1 Open Buildservice | 2024-11-21 | 4.6 MEDIUM | 6.3 MEDIUM |
|
In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service.
|
|||||
| CVE-2015-0258 | 3 Canonical, Debian, O-dyn | 3 Ubuntu Linux, Debian Linux, Collabtive | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.
|
|||||
| CVE-2014-8739 | 2 Creative-solutions, Jquery File Upload Project | 2 Creative Contact Form, Jquery File Upload | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
|
|||||
| CVE-2014-8516 | 1 Cloudfastpath | 1 Netcharts Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
|
|||||
| CVE-2014-8337 | 1 Helpdezk | 1 Helpdezk | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the folder parameter.
|
|||||
| CVE-2014-4972 | 1 Ajax Upload For Gravity Forms Project | 1 Ajax Upload For Gravity Forms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Unrestricted file upload vulnerability in the Gravity Upload Ajax plugin 1.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under wp-content/uploads/gravity_forms.
|
|||||
| CVE-2014-4912 | 1 Frog Cms Project | 1 Frog Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
|
|||||
| CVE-2014-3448 | 1 Bss Continuity Cms Project | 1 Bss Continuty Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
BSS Continuity CMS 4.2.22640.0 has a Remote Code Execution vulnerability due to unauthenticated file upload
|
|||||