Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9975 | 1 Rems | 1 Drag And Drop Image Upload | 2024-10-16 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability was found in SourceCodester Drag and Drop Image Upload 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /upload.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-9794 | 1 Codezips | 1 Online Shopping Portal | 2024-10-15 | 6.5 MEDIUM | 9.8 CRITICAL |
|
A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1.0. This issue affects some unknown processing of the file /update-image1.php. The manipulation of the argument productimage1 leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-42640 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
|
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2024-46088 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
|
An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-37868 | 1 Emiloimagtolis | 1 Online Discussion Forum | 2024-10-08 | N/A | 8.8 HIGH |
|
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "sendreply.php" file, and the uploaded file was received using the "$- FILES" variable.
|
|||||
| CVE-2024-37869 | 1 Emiloimagtolis | 1 Online Discussion Forum | 2024-10-08 | N/A | 8.8 HIGH |
|
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "poster.php" file, and the uploaded file was received using the "$- FILES" variable
|
|||||
| CVE-2024-8743 | 2024-10-07 | N/A | 6.8 MEDIUM | ||
|
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.
|
|||||
| CVE-2024-47319 | 2024-10-07 | N/A | 8.0 HIGH | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form – Contact Form Plugin allows Code Injection.This issue affects Bit Form – Contact Form Plugin: from n/a through 2.13.10.
|
|||||
| CVE-2024-9280 | 1 Kvf-admin Project | 1 Kvf-admin | 2024-10-04 | 5.8 MEDIUM | 9.8 CRITICAL |
|
A vulnerability has been found in kalvinGit kvf-admin up to f12a94dc1ebb7d1c51ee978a85e4c7ed75c620ff and classified as critical. This vulnerability affects the function fileUpload of the file FileUploadKit.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated ...
Show More |
|||||
| CVE-2024-9108 | 2024-10-04 | N/A | 9.8 CRITICAL | ||
|
The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-7772 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
|
The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in all versions up to, and including, 4.6.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-8940 | 1 Scriptcase | 1 Scriptcase | 2024-10-01 | N/A | 9.8 CRITICAL |
|
Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input.
|
|||||
| CVE-2024-8725 | 1 Advancedfilemanager | 1 Advanced File Manager | 2024-10-01 | N/A | 5.4 MEDIUM |
|
Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure lower-privileged roles cannot upload .css and .js files to arbitrary directories. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, which could lead to Stored Cross-Site Scripti ...
Show More |
|||||
| CVE-2024-8126 | 1 Advancedfilemanager | 1 Advanced File Manager | 2024-10-01 | N/A | 8.8 HIGH |
|
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-46441 | 2024-09-30 | N/A | 8.8 HIGH | ||
|
An arbitrary file upload vulnerability in YPay 1.2.0 allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php (called from app/admin/controller/ypay/Home.php). The file extension of an uncompressed file is not checked.
|
|||||
| CVE-2024-9278 | 2024-09-30 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in HuankeMao SCRM up to 0.0.3. Affected by this issue is the function upload_domain_verification_file of the file WxkConfig.php of the component Administrator Backend. The manipulation of the argument domain_verification_file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-7906 | 1 Dedebiz | 1 Dedebiz | 2024-09-27 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability classified as critical was found in DedeBIZ 6.3.0. This vulnerability affects the function get_mime_type of the file /admin/dialog/select_images_post.php of the component Attachment Settings. The manipulation of the argument upload leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-9038 | 1 Codezips | 1 Online Shopping Portal | 2024-09-27 | 4.0 MEDIUM | 9.8 CRITICAL |
|
A vulnerability classified as problematic was found in Codezips Online Shopping Portal 1.0. Affected by this vulnerability is an unknown functionality of the file insert-product.php. The manipulation of the argument productimage1/productimage2/productimage3 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-7384 | 1 Acymailing | 1 Acymailing | 2024-09-27 | N/A | 8.8 HIGH |
|
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-7770 | 1 Bitapps | 1 File Manager | 2024-09-26 | N/A | 8.8 HIGH |
|
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possib ...
Show More |
|||||
| CVE-2024-45398 | 1 Contao | 1 Contao | 2024-09-25 | N/A | 8.8 HIGH |
|
Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.
|
|||||
| CVE-2024-8338 | 1 Hfo4 | 1 Shudong-share | 2024-09-25 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability was found in HFO4 shudong-share 2.4.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /includes/fileReceive.php of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2024-40125 | 1 Closed-loop | 1 Cless Server | 2024-09-25 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint.
|
|||||
| CVE-2024-27115 | 1 Soplanning | 1 Soplanning | 2024-09-18 | N/A | 9.8 CRITICAL |
|
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
|
|||||
| CVE-2024-8242 | 1 Inspireui | 1 Mstore Api | 2024-09-18 | N/A | 8.8 HIGH |
|
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registrat ...
Show More |
|||||
| CVE-2024-7705 | 1 Mainwww | 1 Mwcms | 2024-09-16 | 5.8 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in Fujian mwcms 1.0.0. It has been declared as critical. Affected by this vulnerability is the function uploadeditor of the file /uploadeditor.html?action=uploadimage of the component Image Upload. The manipulation of the argument upfile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-44871 | 1 Mozilo | 1 Mozilocms | 2024-09-13 | N/A | 7.2 HIGH |
|
An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-8463 | 1 Phpgurukul | 1 Job Portal | 2024-09-12 | N/A | 8.8 HIGH |
|
File upload restriction bypass vulnerability in PHPGurukul Job Portal 1.0, the exploitation of which could allow an authenticated user to execute an RCE via webshell.
|
|||||
| CVE-2024-6311 | 1 Funnelforms | 1 Funnelforms Free | 2024-09-12 | N/A | 7.2 HIGH |
|
The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'af2_add_font' function in all versions up to, and including, 3.7.3.2. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-7500 | 1 Angeljudesuarez | 1 Airline Reservation System | 2024-09-11 | 6.5 MEDIUM | 9.8 CRITICAL |
|
A vulnerability was found in itsourcecode Airline Reservation System 1.0. It has been rated as critical. Affected by this issue is the function save_settings of the file admin/admin_class.php. The manipulation of the argument img leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-273626 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-7506 | 1 Angeljudesuarez | 1 Tailoring Management System | 2024-09-11 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /setlogo.php. The manipulation of the argument bgimg leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273649 was assigned to this vulnerability.
|
|||||
| CVE-2024-8232 | 2024-09-11 | N/A | 7.5 HIGH | ||
|
SpiderControl SCADA Web Server has a vulnerability that could allow an
attacker to upload specially crafted malicious files without
authentication.
|
|||||
| CVE-2024-45076 | 1 Ibm | 1 Webmethods Integration | 2024-09-06 | N/A | 9.9 CRITICAL |
|
IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system.
|
|||||
| CVE-2024-43249 | 1 Bitapps | 1 Bit Form | 2024-09-06 | N/A | 8.8 HIGH |
|
Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4.
|
|||||
| CVE-2024-40645 | 1 Fogproject | 1 Fogproject | 2024-09-05 | N/A | 8.8 HIGH |
|
FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web ...
Show More |
|||||
| CVE-2024-8330 | 1 6shr System Project | 1 6shr System | 2024-09-05 | N/A | 8.8 HIGH |
|
6SHR system from Gether Technology does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload web shell scripts and use them to execute arbitrary system commands on the server.
|
|||||
| CVE-2024-8341 | 1 Nelzkie15 | 1 Pet Shop Management System | 2024-09-04 | 6.5 MEDIUM | 9.8 CRITICAL |
|
A vulnerability classified as critical was found in SourceCodester Petshop Management System 1.0. This vulnerability affects unknown code of the file /controllers/add_user.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-7943 | 1 Adonesevangelista | 1 Laravel Property Management System | 2024-09-03 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability was found in itsourcecode Laravel Property Management System 1.0 and classified as critical. This issue affects the function upload of the file PropertiesController.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-6117 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2024-08-30 | N/A | 8.8 HIGH |
|
A Unrestricted upload of file with dangerous type vulnerability in meeting management function in Hamastar MeetingHub Paperless Meetings 2021 allows remote authenticated users to perform arbitrary system commands via a crafted ASP file.
|
|||||
| CVE-2024-8294 | 1 Feehi | 1 Feehicms | 2024-08-30 | 6.5 MEDIUM | 9.8 CRITICAL |
|
A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||