Total
2929 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-18592 | 1 Wc-marketplace | 1 Wc Catalog Enquiry | 2024-11-21 | N/A |
| The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads. | ||||
| CVE-2017-18435 | 1 Cpanel | 1 Cpanel | 2024-11-21 | N/A |
| cPanel before 64.0.21 allows demo accounts to execute code via the BoxTrapper API (SEC-238). | ||||
| CVE-2017-18048 | 1 Monstra | 1 Monstra | 2024-11-21 | N/A |
| Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not. | ||||
| CVE-2017-17987 | 1 Muslim Matrimonial Script Project | 1 Muslim Matrimonial Script | 2024-11-21 | N/A |
| PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file upload via admin/mydetails_edit.php. | ||||
| CVE-2017-17976 | 1 Perfexcrm | 1 Perfex Crm | 2024-11-21 | N/A |
| In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution. | ||||
| CVE-2017-17874 | 1 Vanguard Project | 1 Marketplace Digital Products Php | 2024-11-21 | N/A |
| Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI. | ||||
| CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | ||||
| CVE-2017-17593 | 1 Simple Chatting System Project | 1 Simple Chatting System | 2024-11-21 | N/A |
| Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. | ||||
| CVE-2017-16949 | 1 Accesspressthemes | 1 Anonymous Post Pro | 2024-11-21 | N/A |
| An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution. | ||||
| CVE-2017-16941 | 1 Octobercms | 1 October | 2024-11-21 | N/A |
| October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering. | ||||
| CVE-2017-16772 | 1 Synology | 1 Photo Station | 2024-11-21 | N/A |
| Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. | ||||
| CVE-2017-16736 | 1 Advantech | 1 Webaccess | 2024-11-21 | N/A |
| An Unrestricted Upload Of File With Dangerous Type issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows a remote attacker to upload arbitrary files. | ||||
| CVE-2017-16594 | 1 Netgain-systems | 1 Enterprise Manager | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to create arbitrary files on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp.db.save_005fimage_jsp servlet, which listens on TCP port 8081 by default. When parsing the id parameter, the process does not properly validate user-supplied data, which can allow for the upload of files. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5117. | ||||
| CVE-2017-16524 | 2 Hanwhasecurity, Samsung | 2 Web Viewer, Srn-1670d | 2024-11-21 | N/A |
| Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI. | ||||
| CVE-2017-16251 | 1 Mitel | 1 St14.2 | 2024-11-21 | N/A |
| A vulnerability in the conferencing component of Mitel ST 14.2, release GA28 and earlier, could allow an authenticated user to upload a malicious script to the Personal Library by a crafted POST request. Successful exploit could allow an attacker to execute arbitrary code within the context of the application. | ||||
| CVE-2017-15990 | 1 Savsofteproducts | 1 Phpinventory | 2024-11-21 | 9.8 Critical |
| Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/. | ||||
| CVE-2017-15962 | 1 Istock Management System Project | 1 Istock Management System | 2024-11-21 | N/A |
| iStock Management System 1.0 allows Arbitrary File Upload via user/profile. | ||||
| CVE-2017-15957 | 1 Ingenious School Management System Project | 1 Ingenious School Management System | 2024-11-21 | N/A |
| my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file. | ||||
| CVE-2017-15876 | 1 Sistemagpweb | 1 Gpweb | 2024-11-21 | N/A |
| Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote authenticated users to upload any type of file, including a PHP shell. | ||||
| CVE-2017-15673 | 1 Cs-cart | 1 Cs-cart | 2024-11-21 | N/A |
| The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. | ||||