Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42287 | 1 Nvidia | 2 Bmc, Dgx A100 | 2023-01-24 | N/A | 7.8 HIGH |
| NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure and data tampering. | |||||
| CVE-2020-15645 | 1 Marvell | 1 Qconvergeconsole | 2023-01-23 | 9.0 HIGH | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getFileFromURL method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10553. | |||||
| CVE-2023-0257 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2023-01-20 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /fos/admin/index.php?page=menu of the component Menu Form. The manipulation of the argument Image with the input <?php system($_GET['c']); ?> leads to unrestricted upload. The attack can be launched remotely. The identifier VDB-218185 was assigned to this vulnerability. | |||||
| CVE-2022-0863 | 1 Wp Svg Icons Project | 1 Wp Svg Icons | 2023-01-19 | 6.5 MEDIUM | 7.2 HIGH |
| The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution. | |||||
| CVE-2022-46610 | 1 72crm | 1 Wukong Crm | 2023-01-13 | N/A | 8.8 HIGH |
| 72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-3416 | 1 Bravenewcode | 1 Wptouch | 2023-01-12 | N/A | 7.2 HIGH |
| The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | |||||
| CVE-2022-44036 | 1 B2evolution | 1 B2evolution Cms | 2023-01-10 | N/A | 7.2 HIGH |
| ** DISPUTED ** In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to disable it." | |||||
| CVE-2022-43436 | 1 Easy Test Project | 1 Easy Test | 2023-01-09 | N/A | 8.8 HIGH |
| The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disrupt service. | |||||
| CVE-2022-48194 | 1 Tp-link | 2 Tl-wr902ac, Tl-wr902ac Firmware | 2023-01-09 | N/A | 8.8 HIGH |
| TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate. | |||||
| CVE-2022-4732 | 1 Microweber | 1 Microweber | 2023-01-05 | N/A | 7.2 HIGH |
| Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. | |||||
| CVE-2022-46102 | 1 Ayacms Project | 1 Ayacms | 2023-01-05 | N/A | 9.8 CRITICAL |
| AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php | |||||
| CVE-2022-45427 | 1 Dahuasecurity | 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more | 2023-01-04 | N/A | 7.2 HIGH |
| Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files. | |||||
| CVE-2022-4047 | 1 Wpswings | 1 Return Refund And Exchange For Woocommerce | 2023-01-04 | N/A | 9.8 CRITICAL |
| The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE | |||||
| CVE-2022-45896 | 1 Planetestream | 1 Planet Estream | 2023-01-04 | N/A | 9.8 CRITICAL |
| Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution. | |||||
| CVE-2022-45966 | 1 Classcms Project | 1 Classcms | 2023-01-03 | N/A | 9.8 CRITICAL |
| here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5. | |||||
| CVE-2022-4665 | 1 Ampache | 1 Ampache | 2022-12-30 | N/A | 8.8 HIGH |
| Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6. | |||||
| CVE-2022-46493 | 1 Nbnbk Project | 1 Nbnbk | 2022-12-30 | N/A | 9.8 CRITICAL |
| Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img. | |||||
| CVE-2022-0517 | 1 Mozilla | 1 Vpn | 2022-12-29 | N/A | 7.8 HIGH |
| Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege. This vulnerability affects Mozilla VPN < 2.7.1. | |||||
| CVE-2022-46020 | 1 Wbce | 1 Wbce Cms | 2022-12-29 | N/A | 9.8 CRITICAL |
| WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. | |||||
| CVE-2022-4061 | 1 Ultimatemember | 1 Jobboardwp | 2022-12-23 | N/A | 7.5 HIGH |
| The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP. | |||||