Total
3136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4921 | 1 Oretnom23 | 1 Employee And Visitor Gate Pass Logging System | 2025-02-10 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. Affected is an unknown function of the file /employee_gatepass/classes/Users.php?f=ssave. The manipulation of the argument img leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264456. | |||||
| CVE-2024-4920 | 1 Razormist | 1 Online Discussion Forum Site | 2025-02-10 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been rated as critical. This issue affects some unknown processing of the file registerH.php. The manipulation of the argument ima leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264455. | |||||
| CVE-2024-25918 | 1 Instawp | 1 Instawp Connect | 2025-02-09 | N/A | 9.9 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8. | |||||
| CVE-2024-6823 | 1 Davidlingren | 1 Media Library Assistant | 2025-02-07 | N/A | 8.8 HIGH |
| The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-7484 | 1 Crmperks | 1 Crm Perks Forms | 2025-02-07 | N/A | 7.2 HIGH |
| The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-27951 | 1 Themeisle | 1 Multiple Page Generator | 2025-02-07 | N/A | 9.1 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows Upload a Web Shell to a Web Server.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0. | |||||
| CVE-2025-0582 | 1 Angeljudesuarez | 1 Tailoring Management System | 2025-02-07 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in itsourcecode Farm Management System up to 1.0. This vulnerability affects unknown code of the file /add-pig.php. The manipulation of the argument pigphoto leads to unrestricted upload. The attack can be initiated remotely. | |||||
| CVE-2024-3962 | 1 Themeisle | 1 Product Addons \& Fields For Woocommerce | 2025-02-07 | N/A | 9.8 CRITICAL |
| The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce. | |||||
| CVE-2023-29627 | 1 Online Pizza Ordering Project | 1 Online Pizza Ordering | 2025-02-06 | N/A | 8.8 HIGH |
| Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server. | |||||
| CVE-2023-29621 | 1 Purchase Order Management Project | 1 Purchase Order Management | 2025-02-06 | N/A | 8.8 HIGH |
| Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server. | |||||
| CVE-2022-34128 | 1 Glpi-project | 1 Positions | 2025-02-06 | N/A | 9.8 CRITICAL |
| The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php. | |||||
| CVE-2024-27943 | 1 Siemens | 1 Ruggedcom Crossbow | 2025-02-06 | N/A | 7.2 HIGH |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload generic files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. | |||||
| CVE-2024-27944 | 1 Siemens | 1 Ruggedcom Crossbow | 2025-02-06 | N/A | 7.2 HIGH |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload firmware files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. | |||||
| CVE-2024-27945 | 1 Siemens | 1 Ruggedcom Crossbow | 2025-02-06 | N/A | 7.2 HIGH |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The bulk import feature of the affected systems allow a privileged user to upload files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. | |||||
| CVE-2024-2667 | 1 Instawp | 1 Instawp Connect | 2025-02-06 | N/A | 9.8 CRITICAL |
| The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files. | |||||
| CVE-2023-38095 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-06 | N/A | 8.8 HIGH |
| NETGEAR ProSAFE Network Management System MFileUploadController Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19717. | |||||
| CVE-2023-38098 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-06 | N/A | 8.8 HIGH |
| NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19720. | |||||
| CVE-2023-27755 | 1 71note | 1 Go-bbs | 2025-02-06 | N/A | 8.8 HIGH |
| go-bbs v1 was discovered to contain an arbitrary file download vulnerability via the component /api/v1/download. | |||||
| CVE-2024-13723 | 2025-02-06 | N/A | 7.2 HIGH | ||
| The "NagVis" component within Checkmk is vulnerable to remote code execution. An authenticated attacker with administrative level privileges is able to upload a malicious PHP file and modify specific settings to execute the contents of the file as PHP. | |||||
| CVE-2024-25636 | 1 Misskey | 1 Misskey | 2025-02-05 | N/A | 7.1 HIGH |
| Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue. | |||||