Vulnerabilities (CVE)

Filtered by CWE-434
Total 3416 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-8921 1 Ibm 1 Filenet Workplace Xt 2025-04-20 6.5 MEDIUM 8.8 HIGH
IBM FileNet WorkPlace XT could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
CVE-2015-7571 1 Yeager 1 Yeager Cms 2025-04-20 6.8 MEDIUM 7.8 HIGH
Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
CVE-2017-1002002 1 Webapp-builder Project 1 Webapp-builder 2025-04-20 7.5 HIGH 9.8 CRITICAL
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
CVE-2017-11466 1 Dotcms 1 Dotcms 2025-04-20 9.0 HIGH 7.2 HIGH
Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. This results in arbitrary code execution by requesting the .jsp file at a /assets URI.
CVE-2016-8973 1 Ibm 1 Rational Rhapsody Design Manager 2025-04-20 4.0 MEDIUM 4.3 MEDIUM
IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. IBM Reference #: 1999960.
CVE-2017-14346 1 Blog Project 1 Blog 2025-04-20 7.5 HIGH 9.8 CRITICAL
upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file.
CVE-2015-4463 1 Efrontlearning 1 Efront 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL.
CVE-2017-16941 1 Octobercms 1 October 2025-04-20 6.5 MEDIUM 8.8 HIGH
October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering.
CVE-2011-4334 1 Labwiki Project 1 Labwiki 2025-04-20 6.5 MEDIUM 8.8 HIGH
edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter.
CVE-2016-0354 1 Ibm 1 Sametime 2025-04-20 6.0 MEDIUM 5.5 MEDIUM
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which could be executed with user privileges. IBM X-Force ID: 111893.
CVE-2017-14399 1 Blackcat-cms 1 Blackcat Cms 2025-04-20 6.5 MEDIUM 8.8 HIGH
In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php.
CVE-2017-8862 1 Cohuhd 2 3960hd, 3960hd Firmware 2025-04-20 10.0 HIGH 9.8 CRITICAL
The webupgrade function on the Cohu 3960HD does not verify the firmware upgrade files or process, allowing an attacker to upload a specially crafted postinstall.sh file that will be executed with "root" privileges.
CVE-2017-1000194 1 Octobercms 1 October 2025-04-20 7.5 HIGH 9.8 CRITICAL
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server.
CVE-2017-12678 2 Debian, Taglib 2 Debian Linux, Taglib 2025-04-20 6.8 MEDIUM 8.8 HIGH
In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file.
CVE-2017-15580 1 Osticket 1 Osticket 2025-04-20 7.5 HIGH 9.8 CRITICAL
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents and thus accepts any type of file, such as with a tickets.php request that is modified with a .html extension changed to a .exe extension. An attacker can leverage this vulnerability to upload arbitrary files on the web application having malicious content.
CVE-2017-1002016 1 Flickr Picture Backup Project 1 Flickr Picture Backup 2025-04-20 7.5 HIGH 9.8 CRITICAL
Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files.
CVE-2017-9364 1 Bigtreecms 1 Bigtree Cms 2025-04-20 7.5 HIGH 9.8 CRITICAL
Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.
CVE-2017-9650 2 Automatedlogic, Carrier 3 I-vu, Sitescan Web, Automatedlogic Webctrl 2025-04-20 4.6 MEDIUM 7.8 HIGH
An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code.
CVE-2017-14958 1 Pivotx 1 Pivotx 2025-04-20 6.5 MEDIUM 7.2 HIGH
lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.
CVE-2016-6104 1 Ibm 1 Security Key Lifecycle Manager 2025-04-20 6.5 MEDIUM 7.2 HIGH
IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute arbitrary code on the vulnerable system.