Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38323 | 1 Event Management System Project | 1 Event Management System | 2022-09-16 | N/A | 7.2 HIGH |
| Event Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /Royal_Event/update_image.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2021-44426 | 1 Anydesk | 1 Anydesk | 2022-09-16 | N/A | 8.8 HIGH |
| An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5. An upload of an arbitrary file to a victim's local ~/Downloads/ directory is possible if the victim is using the AnyDesk Windows client to connect to a remote machine, if an attacker is also connected remotely with AnyDesk to the same remote machine. The upload is done without any approval or action taken by the victim. | |||||
| CVE-2022-37140 | 1 Techvill | 1 Paymoney | 2022-09-15 | N/A | 8.0 HIGH |
| PayMoney 3.3 is vulnerable to Client Side Remote Code Execution (RCE). The vulnerability exists on the reply ticket function and upload the malicious file. A calculator will open when the victim who download the file open the RTF file. | |||||
| CVE-2022-36667 | 1 Garage Management System Project | 1 Garage Management System | 2022-09-15 | N/A | 8.8 HIGH |
| Garage Management System 1.0 is vulnerable to the Remote Code Execution (RCE) due to the lack of filtering from the file upload function. The vulnerability exist during adding parts and from the upload function, the attacker can upload PHP Reverse Shell straight away to gain RCE. | |||||
| CVE-2022-38296 | 1 Cuppacms | 1 Cuppacms | 2022-09-14 | N/A | 9.8 CRITICAL |
| Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager. | |||||
| CVE-2022-3129 | 1 Online Driving School Project Project | 1 Online Driving School Project | 2022-09-12 | N/A | 9.8 CRITICAL |
| A vulnerability was found in codeprojects Online Driving School. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registration.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207872. | |||||
| CVE-2022-36065 | 1 Growthbook | 1 Growthbook | 2022-09-12 | N/A | 7.5 HIGH |
| GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29). As a workaround, set `JWT_SECRET` environment variable to a long random string. This will stop arbitrary file uploads, but the only way to stop attackers from registering accounts is by updating to the latest build. | |||||
| CVE-2022-29464 | 1 Wso2 | 5 Api Manager, Enterprise Integrator, Identity Server and 2 more | 2022-09-09 | 10.0 HIGH | 9.8 CRITICAL |
| Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. | |||||
| CVE-2020-21516 | 1 Feehi | 1 Feehicms | 2022-09-08 | N/A | 9.8 CRITICAL |
| There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code. | |||||
| CVE-2022-37184 | 1 Garage Management System Project | 1 Garage Management System | 2022-09-07 | N/A | 8.8 HIGH |
| The application manage_website.php on Garage Management System 1.0 is vulnerable to Shell File Upload. The already authenticated malicious user, can upload a dangerous RCE or LCE exploit file. | |||||
| CVE-2022-36582 | 1 Garage Management System Project | 1 Garage Management System | 2022-09-02 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in the component /php_action/createProduct.php of Garage Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-36580 | 1 Online Ordering System Project | 1 Online Ordering System | 2022-09-02 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in the component /admin/products/controller.php?action=add of Online Ordering System v2.3.2 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-36557 | 1 Seiko-sol | 4 Skybridge Mb-a100, Skybridge Mb-a100 Firmware, Skybridge Mb-a110 and 1 more | 2022-09-02 | N/A | 9.8 CRITICAL |
| Seiko SkyBridge MB-A100/A110 v4.2.0 and below was discovered to contain an arbitrary file upload vulnerability via the restore backup function. This vulnerability allows attackers to execute arbitrary code via a crafted html file. | |||||
| CVE-2020-29450 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-08-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. | |||||
| CVE-2022-37181 | 1 72crm | 1 Wukong Crm | 2022-08-28 | N/A | 9.8 CRITICAL |
| 72crm 9.0 has an Arbitrary file upload vulnerability. | |||||
| CVE-2022-37159 | 1 Claroline | 1 Claroline | 2022-08-26 | N/A | 9.8 CRITICAL |
| Claroline 13.5.7 and prior is vulnerable to Remote code execution via arbitrary file upload. | |||||
| CVE-2022-36285 | 1 Uploading Svg\, Webp And Ico Files Project | 1 Uploading Svg\, Webp And Ico Files | 2022-08-25 | N/A | 7.2 HIGH |
| Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress. | |||||
| CVE-2021-29891 | 1 Ibm | 8 Hardware Management Console 7063-cr2, Hardware Management Console 7063-cr2 Firmware, Power System Ac922 \(8335-gtg\) and 5 more | 2022-08-25 | N/A | 4.9 MEDIUM |
| IBM OPENBMC OP910 and OP940 could allow a privileged user to upload an improper site identity certificate that may cause it to lose network services. IBM X-Force ID: 207221. | |||||
| CVE-2022-27925 | 1 Zimbra | 1 Collaboration | 2022-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. | |||||
| CVE-2022-2594 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2022-08-23 | N/A | 8.8 HIGH |
| The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. | |||||