Total
2929 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-33930 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2025-02-05 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Code Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.66. | ||||
| CVE-2025-24505 | 2025-02-05 | N/A | ||
| This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by uploading a specially crafted upgrade file. | ||||
| CVE-2021-27860 | 1 Fatpipeinc | 6 Ipvpn, Ipvpn Firmware, Mpvpn and 3 more | 2025-02-04 | 9.8 Critical |
| A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006. | ||||
| CVE-2023-1731 | 1 Meinbergglobal | 7 Lantime Firmware, Lantime M100, Lantime M200 and 4 more | 2025-02-04 | 7.2 High |
| In Meinbergs LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands. | ||||
| CVE-2023-30613 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-02-04 | 8.1 High |
| Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading. | ||||
| CVE-2023-25132 | 1 Cyberpower | 1 Powerpanel | 2025-02-04 | 9.1 Critical |
| Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors. | ||||
| CVE-2023-2245 | 1 Hansuncms Project | 1 Hansuncms | 2025-02-04 | 6.3 Medium |
| A vulnerability was found in hansunCMS 1.4.3. It has been declared as critical. This vulnerability affects unknown code of the file /ueditor/net/controller.ashx?action=catchimage. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227230 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-26098 | 1 Telindus | 1 Apsal | 2025-02-04 | 8.2 High |
| An issue was discovered in the Open Document feature in Telindus Apsal 3.14.2022.235 b. An attacker may upload a crafted file to execute arbitrary code. | ||||
| CVE-2024-41454 | 2025-02-03 | 6.5 Medium | ||
| An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file. | ||||
| CVE-2022-25277 | 1 Drupal | 1 Drupal | 2025-02-03 | 7.2 High |
| Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. | ||||
| CVE-2023-29240 | 1 F5 | 1 Big-iq Centralized Management | 2025-02-03 | 5.4 Medium |
| An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2023-30266 | 1 Cltphp | 1 Cltphp | 2025-02-03 | 8.8 High |
| CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type. | ||||
| CVE-2024-57761 | 2025-02-03 | 8.1 High | ||
| An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-40513 | 2025-02-03 | 4.6 Medium | ||
| An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function. | ||||
| CVE-2022-1565 | 1 Wpallimport | 1 Wp All Import | 2025-01-31 | 7.2 High |
| The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2024-46210 | 2025-01-31 | 7.2 High | ||
| An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2023-42248 | 2025-01-31 | 6.5 Medium | ||
| An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can write arbitrary files by manipulating POST parameters of the page "common/vam_Sql.php". | ||||
| CVE-2022-36769 | 2 Ibm, Redhat | 2 Cloud Pak For Data, Openshift | 2025-01-31 | 7.2 High |
| IBM Cloud Pak for Data 4.5 and 4.6 could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 232034. | ||||
| CVE-2023-29721 | 1 Sofawiki Project | 1 Sofawiki | 2025-01-31 | 9.8 Critical |
| SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution. | ||||
| CVE-2023-29631 | 1 Joommasters | 1 Jms Slider | 2025-01-31 | 9.8 Critical |
| PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php. | ||||