Total
1580 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18563 | 1 Roche | 10 Accu-chek Inform Ii, Accu-chek Inform Ii Firmware, Coaguchek Pro Ii and 7 more | 2019-10-02 | 8.3 HIGH | 9.6 CRITICAL |
| An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial Number below KQ0400000 or KS0400000) and cobas h 232 before 04.00.04 (Serial Number above KQ0400000 or KS0400000). Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted Poct1-A message. | |||||
| CVE-2017-5520 | 1 Metalgenix | 1 Genixcms | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| The media rename feature in GeniXCMS through 0.0.8 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to rename and execute files with the `.php6`, `.php7` and `.phtml` extensions. | |||||
| CVE-2017-11326 | 1 Tilde Cms Project | 1 Tilde Cms | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Tilde CMS 1.0.1. It is possible to bypass the implemented restrictions on arbitrary file upload via a filename.+php manipulation. | |||||
| CVE-2017-11405 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-10-02 | 4.0 MEDIUM | 4.9 MEDIUM |
| In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file. | |||||
| CVE-2017-17593 | 1 Simple Chatting System Project | 1 Simple Chatting System | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. | |||||
| CVE-2017-6104 | 1 Zen Mobile App Native Project | 1 Zen Mobile App Native | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. | |||||
| CVE-2017-6931 | 1 Drupal | 1 Drupal | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. | |||||
| CVE-2017-8080 | 1 Atlassian | 1 Hipchat Server | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads. | |||||
| CVE-2019-15862 | 1 Cksource | 1 Ckfinder | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP. | |||||
| CVE-2019-14916 | 1 Prise | 1 Adas | 2019-09-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. A file's format is not properly checked, leading to an unrestricted file upload. | |||||
| CVE-2019-16720 | 1 Zzzcms | 1 Zzzphp | 2019-09-23 | 5.0 MEDIUM | 7.5 HIGH |
| ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file. | |||||
| CVE-2015-9402 | 1 Usersultra | 1 Users Ultra Membership | 2019-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs-form-conf arbitrary file upload. | |||||
| CVE-2019-10012 | 2 Jenzabar, Tiny | 2 Internet Campus Solution, Moxiemanager | 2019-09-20 | 6.0 MEDIUM | 7.5 HIGH |
| Jenzabar JICS (aka Internet Campus Solution) before 9 allows remote attackers to upload and execute arbitrary .aspx code by placing it in a ZIP archive and using the MoxieManager (for .NET) plugin before 2.1.4 in the moxiemanager directory within the installation folder ICS\ICS.NET\ICSFileServer. | |||||
| CVE-2019-15843 | 1 Mi | 1 Xiaomi Millet Firmware | 2019-09-20 | 5.8 MEDIUM | 7.4 HIGH |
| A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or malicious file writing. | |||||
| CVE-2019-14252 | 1 Publisure | 1 Publisure | 2019-09-18 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from the adminCons.php view (i.e., the rogue PHP file can be hidden). | |||||
| CVE-2016-10995 | 1 Templatic | 1 Telvolution | 2019-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| The Tevolution plugin before 2.3.0 for WordPress has arbitrary file upload via single_upload.php or single-upload.php. | |||||
| CVE-2019-15131 | 1 Code42 | 1 Code42 | 2019-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 a vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed. This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution. | |||||
| CVE-2019-16318 | 1 Pimcore | 1 Pimcore | 2019-09-17 | 6.5 MEDIUM | 8.8 HIGH |
| In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317. | |||||
| CVE-2016-10959 | 1 Estatik | 1 Estatik | 2019-09-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php. | |||||
| CVE-2016-10958 | 1 Estatik | 1 Estatik | 2019-09-16 | 5.0 MEDIUM | 7.5 HIGH |
| The estatik plugin before 2.3.0 for WordPress has unauthenticated arbitrary file upload via es_media_images[] to wp-admin/admin-ajax.php. | |||||