Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44651 | 1 Zohocorp | 2 Log360, Manageengine Cloud Security Plus | 2022-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175. | |||||
| CVE-2021-46013 | 1 Free School Management Software Project | 1 Free School Management Software | 2022-01-24 | 7.5 HIGH | 9.8 CRITICAL |
| An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. An attacker can leverage this vulnerability to enable remote code execution on the affected web server. Once a php webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is saved into /uploads/exam_question/ directory, and is accessible by all users. | |||||
| CVE-2022-0263 | 1 Pimcore | 1 Pimcore | 2022-01-24 | 4.6 MEDIUM | 7.8 HIGH |
| Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7. | |||||
| CVE-2021-34995 | 1 Commvault | 1 Commcell | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DownloadCenterUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-13756. | |||||
| CVE-2021-34997 | 1 Commvault | 1 Commcell | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AppStudioUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-13894. | |||||
| CVE-2021-33828 | 1 Owncloud | 1 Files Antivirus | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection. | |||||
| CVE-2021-43973 | 1 Sysaid | 1 Sysaid | 2022-01-20 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, server-side filesystem path of the uploaded file. | |||||
| CVE-2021-45411 | 1 Printable Staff Id Card Creator System Project | 1 Printable Staff Id Card Creator System | 2022-01-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution. | |||||
| CVE-2021-4080 | 1 Craterapp | 1 Crater | 2022-01-18 | 6.5 MEDIUM | 8.8 HIGH |
| crater is vulnerable to Unrestricted Upload of File with Dangerous Type | |||||
| CVE-2021-46078 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2022-01-13 | 3.5 LOW | 4.8 MEDIUM |
| An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability. | |||||
| CVE-2021-46076 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2022-01-12 | 6.5 MEDIUM | 8.8 HIGH |
| Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution. | |||||
| CVE-2021-46079 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2022-01-12 | 6.5 MEDIUM | 7.2 HIGH |
| An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection. | |||||
| CVE-2020-29597 | 1 Incomcms Project | 1 Incomcms | 2022-01-06 | 7.5 HIGH | 9.8 CRITICAL |
| IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server. | |||||
| CVE-2021-23814 | 1 Unisharp | 1 Laravel-filemanager | 2022-01-04 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package unisharp/laravel-filemanager from 0.0.0. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on URL - Remote Code Execution **Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories). | |||||
| CVE-2021-44159 | 1 4mosan | 1 Gcb Doctor | 2022-01-03 | 10.0 HIGH | 9.8 CRITICAL |
| 4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or deny of service attack. | |||||
| CVE-2015-0258 | 3 Canonical, Debian, O-dyn | 3 Ubuntu Linux, Debian Linux, Collabtive | 2022-01-01 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension. | |||||
| CVE-2020-24186 | 1 Gvectors | 1 Wpdiscuz | 2022-01-01 | 7.5 HIGH | 10.0 CRITICAL |
| A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action. | |||||
| CVE-2020-25213 | 1 Webdesi9 | 1 File Manager | 2022-01-01 | 7.5 HIGH | 9.8 CRITICAL |
| The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. | |||||
| CVE-2020-13671 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2022-01-01 | 6.5 MEDIUM | 8.8 HIGH |
| Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. | |||||
| CVE-2020-26820 | 1 Sap | 1 Netweaver Application Server Java | 2022-01-01 | 9.0 HIGH | 7.2 HIGH |
| SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it. | |||||