Total
3977 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2268 | 1 Keerti1924 | 1 Online Bookstore Website | 2025-03-12 | 4.7 Medium |
| A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0. It has been classified as critical. Affected is an unknown function of the file /product_update.php?update=1. The manipulation of the argument update_image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256038 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-2883 | 1 Octopus | 1 Octopus Server | 2025-03-11 | 7.5 High |
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | ||||
| CVE-2023-24249 | 1 Laravel-admin | 1 Laravel-admin | 2025-03-11 | 7.2 High |
| An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-24387 | 1 Smartertools | 1 Smartertrack | 2025-03-11 | 9.1 Critical |
| With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010 | ||||
| CVE-2024-27115 | 2 Simple Online Planning, Soplanning | 2 So Planning, Soplanning | 2025-03-11 | 9.8 Critical |
| A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02. | ||||
| CVE-2023-26762 | 1 Smeup | 1 Erp | 2025-03-11 | 8.8 High |
| Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an arbitrary file upload vulnerability. | ||||
| CVE-2023-23607 | 1 Dasherr Project | 1 Dasherr | 2025-03-10 | 9.8 Critical |
| erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-22726 | 1 Act Project | 1 Act | 2025-03-10 | 8 High |
| act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually. | ||||
| CVE-2021-41231 | 1 Openmage | 1 Magento | 2025-03-10 | 7.2 High |
| OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue. | ||||
| CVE-2023-23937 | 1 Pimcore | 1 Pimcore | 2025-03-10 | 8.2 High |
| Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain. This issue has been patched in version 10.5.16. | ||||
| CVE-2023-24045 | 1 Dataiku | 1 Data Science Studio | 2025-03-10 | 6.5 Medium |
| In Dataiku DSS 11.2.1, an attacker can download other Dataiku files that were uploaded to the myfiles section by specifying the target username in a download request. | ||||
| CVE-2023-25402 | 1 Yf-exam Project | 1 Yf-exam | 2025-03-06 | 7.5 High |
| CleverStupidDog yf-exam 1.8.0 is vulnerable to File Upload. There is no restriction on the suffix of the uploaded file, resulting in any file upload. | ||||
| CVE-2023-32562 | 1 Ivanti | 1 Avalanche | 2025-03-06 | 9.8 Critical |
| An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1. | ||||
| CVE-2023-26949 | 1 Onekeyadmin | 1 Onekeyadmin | 2025-03-06 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2021-33352 | 1 Wyomind | 1 Help Desk | 2025-03-05 | 9.8 Critical |
| An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field. | ||||
| CVE-2014-125104 | 1 Automattic | 1 Vaultpress | 2025-03-05 | 6.3 Medium |
| A vulnerability was found in VaultPress Plugin up to 1.6.0 on WordPress. It has been declared as critical. Affected by this vulnerability is the function protect_aioseo_ajax of the file class.vaultpress-hotfixes.php of the component MailPoet Plugin. The manipulation leads to unrestricted upload. The attack can be launched remotely. Upgrading to version 1.6.1 is able to address this issue. The patch is named e3b92b14edca6291c5f998d54c90cbe98a1fb0e3. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230263. | ||||
| CVE-2023-2063 | 1 Mitsubishielectric | 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more | 2025-03-05 | 6.3 Medium |
| Unrestricted Upload of File with Dangerous Type vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to cause information disclosure, tampering, deletion or destruction via file upload/download. As a result, the attacker may be able to exploit this for further attacks. | ||||
| CVE-2024-5043 | 1 Emlog | 1 Emlog | 2025-03-05 | 4.7 Medium |
| A vulnerability was found in Emlog Pro 2.3.4 and classified as critical. Affected by this issue is some unknown functionality of the file admin/setting.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264740. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-22890 | 1 Smartbear | 1 Zephyr Enterprise | 2025-03-05 | 7.5 High |
| SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition. | ||||
| CVE-2025-1890 | 1 Shishuocms Project | 1 Shishuocms | 2025-03-05 | 6.3 Medium |
| A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||