Total
3041 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-6124 | 1 Ibm | 1 Kenexa Lms On Cloud | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. | |||||
| CVE-2017-10940 | 1 Joyent | 1 Triton Datacenter | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Joyent Smart Data Center prior to agentsshar@1.0.0-release-20160901-20160901T051624Z-g3fd5adf (e469cf49-4de3-4658-8419-ab42837916ad). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the docker API. The process does not properly validate user-supplied data which can allow for the upload of arbitrary files. An attacker can leverage this vulnerability to execute arbitrary code under the context of root. Was ZDI-CAN-3853. | |||||
| CVE-2015-3884 | 1 Qdpm | 1 Qdpm | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/. | |||||
| CVE-2017-11405 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file. | |||||
| CVE-2017-2737 | 1 Huawei | 2 Vcm5010, Vcm5010 Firmware | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| VCM5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system. | |||||
| CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | |||||
| CVE-2017-9380 | 1 Open-emr | 1 Openemr | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. | |||||
| CVE-2017-15962 | 1 Istock Management System Project | 1 Istock Management System | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| iStock Management System 1.0 allows Arbitrary File Upload via user/profile. | |||||
| CVE-2017-11404 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php. | |||||
| CVE-2015-9228 | 1 Imagely | 1 Nextgen Gallery | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress, unrestricted file upload is available via the name parameter, if a file extension is changed from .jpg to .php. | |||||
| CVE-2017-1002000 | 1 Mobile-friendly-app-builder-by-easytouch Project | 1 Mobile-friendly-app-builder-by-easytouch | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content. | |||||
| CVE-2017-7281 | 1 Unitrends | 1 Enterprise Backup | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php allows for an authenticated user to create a randomly named file on disk with a user-controlled extension, contents, and path, leading to remote code execution, aka Unrestricted File Upload. | |||||
| CVE-2017-6104 | 1 Zen Mobile App Native Project | 1 Zen Mobile App Native | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. | |||||
| CVE-2017-3108 | 1 Adobe | 1 Experience Manager | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability. | |||||
| CVE-2017-2699 | 1 Huawei | 6 Honor 7, Honor 7 Firmware, Lyo-l21 and 3 more | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versions earlier than CRR-L09C432B380, versions earlier than LYO-L21C577B128 has a privilege elevation vulnerability. An attacker could exploit this vulnerability to upload theme packs containing malicious files and trick users into installing the theme packets, resulting in the execution of arbitrary code. | |||||
| CVE-2017-11154 | 1 Synology | 1 Photo Station | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter. | |||||
| CVE-2017-12929 | 1 Tecnovision | 1 Dlx Spot Player4 | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. | |||||
| CVE-2017-14079 | 1 Trendmicro | 1 Mobile Security | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. | |||||
| CVE-2017-11326 | 1 Tilde Cms Project | 1 Tilde Cms | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Tilde CMS 1.0.1. It is possible to bypass the implemented restrictions on arbitrary file upload via a filename.+php manipulation. | |||||
| CVE-2016-1713 | 1 Vtiger | 1 Vtiger Crm | 2025-04-20 | 8.5 HIGH | 7.3 HIGH |
| Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. | |||||