Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-434
Total 1580 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-27261 1 Express-fileupload Project 1 Express-fileupload 2022-04-19 4.3 MEDIUM 7.5 HIGH
An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.
CVE-2022-27262 1 Sailsjs 1 Skipper 2022-04-19 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of Skipper v0.9.1 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-27263 1 Strapi 1 Strapi 2022-04-19 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-27140 1 Express-fileupload Project 1 Express-fileupload 2022-04-19 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of Express-Fileupload v1.3.1 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-24837 1 Hedgedoc 1 Hedgedoc 2022-04-19 5.0 MEDIUM 5.3 MEDIUM
HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to `/uploadimage`, which will disable future uploads.
CVE-2019-6139 1 Forcepoint 1 User Id 2022-04-18 7.5 HIGH 9.8 CRITICAL
Forcepoint User ID (FUID) server versions up to 1.2 have a remote arbitrary file upload vulnerability on TCP port 5001. Successful exploitation of this vulnerability may lead to remote code execution. To fix this vulnerability, upgrade to FUID version 1.3 or higher. To prevent the vulnerability on FUID versions 1.2 and below, apply local firewall rules on the FUID server to disable all external access to port TCP/5001. FUID requires this port only for local connections through the loopback interface.
CVE-2020-10386 1 Chadhaajay 1 Phpkb 2022-04-18 6.5 MEDIUM 7.2 HIGH
admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by uploading a .php file in the admin/js/ directory.
CVE-2021-28428 1 Horizontcms Project 1 Horizontcms 2022-04-15 7.5 HIGH 9.8 CRITICAL
File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.
CVE-2022-26630 1 Jellycms 1 Jellycms 2022-04-15 6.5 MEDIUM 8.8 HIGH
Jellycms v3.8.1 and below was discovered to contain an arbitrary file upload vulnerability via \app.\admin\Controllers\db.php.
CVE-2021-43430 1 Bigantsoft 1 Bigant Office Messenger 5 2022-04-15 6.5 MEDIUM 8.8 HIGH
An Access Control vulnerability exists in BigAntSoft BigAnt office messenger 5.6 via im_webserver, which could let a malicious user upload PHP Trojan files.
CVE-2019-19925 8 Debian, Netapp, Opensuse and 5 more 12 Debian Linux, Cloud Backup, Backports Sle and 9 more 2022-04-15 5.0 MEDIUM 7.5 HIGH
zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVE-2022-27047 1 Moguit 1 Mogu Blog Cms 2022-04-15 7.5 HIGH 9.8 CRITICAL
mogu_blog_cms 5.2 suffers from upload arbitrary files without any limitation.
CVE-2022-27115 2 Microsoft, Std42 2 Windows, Elfinder 2022-04-15 7.5 HIGH 9.8 CRITICAL
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
CVE-2022-1008 1 Ocdi 1 One Click Demo Import 2022-04-14 6.5 MEDIUM 7.2 HIGH
The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
CVE-2022-1045 1 Trudesk Project 1 Trudesk 2022-04-14 3.5 LOW 5.4 MEDIUM
Stored XSS viva .svg file upload in GitHub repository polonel/trudesk prior to v1.2.0.
CVE-2022-27477 1 Newbee-mall Project 1 Newbee-mall 2022-04-14 7.5 HIGH 9.8 CRITICAL
Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.
CVE-2022-27131 1 Zbzcms 1 Zbzcms 2022-04-14 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability at /zbzedit/php/zbz.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27129 1 Zbzcms 1 Zbzcms 2022-04-14 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability at /admin/ajax.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27351 1 Zoo Management System Project 1 Zoo Management System 2022-04-14 7.5 HIGH 9.8 CRITICAL
Zoo Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /public_html/apply_vacancy. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2021-46367 1 Ritecms 1 Ritecms 2022-04-14 9.0 HIGH 7.2 HIGH
RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.