Total
2929 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25909 | 2024-11-21 | 9.9 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2. | ||||
| CVE-2024-25869 | 2024-11-21 | 8.8 High | ||
| An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component. | ||||
| CVE-2024-25846 | 2024-11-21 | 9.1 Critical | ||
| In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php. | ||||
| CVE-2024-25674 | 1 Misp | 1 Misp | 2024-11-21 | 9.8 Critical |
| An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | ||||
| CVE-2024-25274 | 2024-11-21 | 9.8 Critical | ||
| An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-24809 | 2024-11-21 | 8.5 High | ||
| Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue. | ||||
| CVE-2024-24714 | 2024-11-21 | 7.2 High | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through 1.1.4. | ||||
| CVE-2024-24551 | 2024-11-21 | N/A | ||
| A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | ||||
| CVE-2024-24550 | 1 Bludit | 1 Bludit | 2024-11-21 | N/A |
| A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | ||||
| CVE-2024-24399 | 1 Lepton-cms | 1 Leptoncms | 2024-11-21 | 7.2 High |
| An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area. | ||||
| CVE-2024-24393 | 1 Oaooa | 1 Pichome | 2024-11-21 | 9.8 Critical |
| File Upload vulnerability index.php in Pichome v.1.1.01 allows a remote attacker to execute arbitrary code via crafted POST request. | ||||
| CVE-2024-24350 | 1 Softwarepublico | 1 E-sic Livre | 2024-11-21 | 8.8 High |
| File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component. | ||||
| CVE-2024-24202 | 1 Easycorp | 3 Zentao, Zentao Biz, Zentao Max | 2024-11-21 | 9.8 Critical |
| An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file. | ||||
| CVE-2024-24026 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | 9.8 Critical |
| An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | ||||
| CVE-2024-24025 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | 9.8 Critical |
| An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | ||||
| CVE-2024-24024 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | 9.8 Critical |
| An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download. | ||||
| CVE-2024-24000 | 1 Huaxiaerp | 1 Jsherp | 2024-11-21 | 9.8 Critical |
| jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths. | ||||
| CVE-2024-23811 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 8.8 High |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution. | ||||
| CVE-2024-23759 | 1 Gambio | 1 Gambio | 2024-11-21 | 9.8 Critical |
| Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function. | ||||
| CVE-2024-23630 | 1 Motorola | 2 Mr2600, Mr2600 Firmware | 2024-11-21 | 9 Critical |
| An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed. | ||||