Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29032 | 1 Secomea | 2 Gatemanager 8250, Gatemanager 8250 Firmware | 2021-03-12 | 6.5 MEDIUM | 7.2 HIGH |
| Upload of Code Without Integrity Check vulnerability in firmware archive of Secomea GateManager allows authenticated attacker to execute malicious code on server. This issue affects: Secomea GateManager all versions prior to 9.4.621054022 | |||||
| CVE-2020-9320 | 1 Avira | 8 Anti-malware Sdk, Antivirus Server, Avira Antivirus For Endpoint and 5 more | 2021-03-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| ** DISPUTED ** Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK. NOTE: Vendor asserts that vulnerability does not exist in product. | |||||
| CVE-2020-24948 | 1 Autoptimize | 1 Autoptimize | 2021-03-04 | 6.5 MEDIUM | 7.2 HIGH |
| The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution. | |||||
| CVE-2021-26918 | 1 Probot | 1 Bot | 2021-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side." | |||||
| CVE-2020-36079 | 1 Zenphoto | 1 Zenphoto | 2021-03-04 | 6.5 MEDIUM | 7.2 HIGH |
| ** DISPUTED ** Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has "lots of other possibilities to harm a site." | |||||
| CVE-2021-20659 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 6.5 MEDIUM | 8.8 HIGH |
| SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to upload arbitrary files via unspecified vectors. If the file is PHP script, an attacker may execute arbitrary code. | |||||
| CVE-2020-7847 | 1 Iptime | 18 Nas-i, Nas-i Firmware, Nas-ii and 15 more | 2021-02-26 | 5.2 MEDIUM | 8.0 HIGH |
| The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36. | |||||
| CVE-2021-27513 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-26 | 6.5 MEDIUM | 8.8 HIGH |
| The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside." | |||||
| CVE-2021-26809 | 1 Car Rental Portal Project | 1 Car Rental Portal | 2021-02-26 | 7.5 HIGH | 9.8 CRITICAL |
| PHPGurukul Car Rental Project version 2.0 suffers from a remote shell upload vulnerability in changeimage1.php. | |||||
| CVE-2020-10569 | 1 Sysaid | 1 On-premise | 2021-02-25 | 10.0 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack. Additionally, it allows unauthenticated access to upload files, which can be used to execute commands on the system by chaining it with a GhostCat attack. NOTE: This may be a duplicate of CVE-2020-1938. | |||||
| CVE-2021-25780 | 1 Baby Care System Project | 1 Baby Care System | 2021-02-24 | 6.5 MEDIUM | 7.2 HIGH |
| An arbitrary file upload vulnerability has been identified in posts.php in Baby Care System 1.0. The vulnerability could be exploited by an remote attacker to upload content to the server, including PHP files, which could result in command execution and obtaining a shell. | |||||
| CVE-2020-8639 | 1 Testlink | 1 Testlink | 2021-02-22 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application. | |||||
| CVE-2020-4955 | 1 Ibm | 1 Spectrum Protect Operations Center | 2021-02-17 | 5.2 MEDIUM | 8.0 HIGH |
| IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155. | |||||
| CVE-2021-21014 | 1 Magento | 1 Magento | 2021-02-16 | 6.5 MEDIUM | 9.1 CRITICAL |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. | |||||
| CVE-2020-25037 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2021-02-04 | 7.2 HIGH | 8.2 HIGH |
| UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command. | |||||
| CVE-2020-20287 | 1 Yccms | 1 Yccms | 2021-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution. | |||||
| CVE-2021-3164 | 1 Churchdesk | 1 Churchrota | 2021-02-02 | 6.5 MEDIUM | 8.8 HIGH |
| ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php. | |||||
| CVE-2020-24549 | 1 Openmaint | 1 Openmaint | 2021-02-02 | 6.5 MEDIUM | 8.8 HIGH |
| openMAINT before 1.1-2.4.2 allows remote authenticated users to run arbitrary JSP code on the underlying web server. | |||||
| CVE-2020-22643 | 1 Feehi | 1 Feehi Cms | 2021-01-29 | 6.5 MEDIUM | 7.2 HIGH |
| Feehi CMS 2.1.0 is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malicious files. | |||||
| CVE-2020-26252 | 1 Openmage | 1 Openmage | 2021-01-28 | 6.5 MEDIUM | 7.2 HIGH |
| OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml. The latest OpenMage Versions up from 19.4.10 and 20.0.6 have this issue solved. | |||||