Vulnerabilities (CVE)

Filtered by CWE-434
Total 3073 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-27435 1 Ecommerce-website Project 1 Ecommerce-website 2024-11-21 6.5 MEDIUM 8.8 HIGH
An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component.
CVE-2022-27357 1 Ecommerce-website Project 1 Ecommerce-website 2024-11-21 7.5 HIGH 9.8 CRITICAL
Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27352 1 Simple House Rental System Project 1 Simple House Rental System 2024-11-21 6.5 MEDIUM 8.8 HIGH
Simple House Rental System v1 was discovered to contain an arbitrary file upload vulnerability via /app/register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27351 1 Phpgurukul 1 Zoo Management System 2024-11-21 7.5 HIGH 9.8 CRITICAL
Zoo Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /public_html/apply_vacancy. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27349 1 Socialcodia 1 Social Codia Sms 2024-11-21 6.5 MEDIUM 7.2 HIGH
Social Codia SMS v1 was discovered to contain an arbitrary file upload vulnerability via addteacher.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27346 1 Ecommerce-website Project 1 Ecommerce-website 2024-11-21 6.5 MEDIUM 8.8 HIGH
Ecommece-Website v1.1.0 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?slides. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27263 1 Strapi 1 Strapi 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-27262 1 Sailsjs 1 Skipper 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of Skipper v0.9.1 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-27261 1 Express-fileupload Project 1 Express-fileupload 2024-11-21 4.3 MEDIUM 7.5 HIGH
An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.
CVE-2022-27260 1 Buttercms 1 Buttercms 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload component of ButterCMS v1.2.8 allows attackers to execute arbitrary code via a crafted SVG file.
CVE-2022-27249 1 Idearespa 1 Reftree 2024-11-21 9.0 HIGH 8.8 HIGH
An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource.
CVE-2022-27140 1 Express-fileupload Project 1 Express-fileupload 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).
CVE-2022-27139 1 Ghost 1 Ghost 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality
CVE-2022-27131 1 Zbzcms 1 Zbzcms 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability at /zbzedit/php/zbz.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27129 1 Zbzcms 1 Zbzcms 2024-11-21 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability at /admin/ajax.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27115 2 Microsoft, Std42 2 Windows, Elfinder 2024-11-21 7.5 HIGH 9.8 CRITICAL
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
CVE-2022-27064 1 Musical World Project 1 Musical World 2024-11-21 6.5 MEDIUM 8.8 HIGH
Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27061 1 Aerocms Project 1 Aerocms 2024-11-21 6.5 MEDIUM 7.2 HIGH
AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-27047 1 Moguit 1 Mogu Blog Cms 2024-11-21 7.5 HIGH 9.8 CRITICAL
mogu_blog_cms 5.2 suffers from upload arbitrary files without any limitation.
CVE-2022-26965 1 Pluck-cms 1 Pluck 2024-11-21 6.5 MEDIUM 7.2 HIGH
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.