Total
2765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12843 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2020-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used. | |||||
| CVE-2020-14022 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2020-09-26 | 9.0 HIGH | 8.8 HIGH |
| Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Starter" module) within the application. | |||||
| CVE-2020-4620 | 1 Ibm | 1 Data Risk Manager | 2020-09-22 | 9.0 HIGH | 8.8 HIGH |
| IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 184979. | |||||
| CVE-2020-23828 | 1 Online Course Registration Project | 1 Online Course Registration | 2020-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| A File Upload vulnerability in SourceCodester Online Course Registration v1.0 allows remote attackers to achieve Remote Code Execution (RCE) on the hosting webserver by uploading a crafted PHP web-shell that bypasses the image upload filters. An attack uses /Online%20Course%20Registration/my-profile.php with the POST parameter photo. | |||||
| CVE-2020-10228 | 1 Vtenext | 1 Vtenext | 2020-09-18 | 6.5 MEDIUM | 8.8 HIGH |
| A file upload vulnerability in vtecrm vtenext 19 CE allows authenticated users to upload files with a .pht extension, resulting in remote code execution. | |||||
| CVE-2020-25287 | 1 Pligg Project | 1 Pligg | 2020-09-17 | 6.5 MEDIUM | 7.2 HIGH |
| Pligg 2.0.3 allows remote authenticated users to execute arbitrary commands because the template editor can edit any file, as demonstrated by an admin/admin_editor.php the_file=..%2Findex.php&open=Open request. | |||||
| CVE-2020-14008 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-16 | 6.5 MEDIUM | 7.2 HIGH |
| Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. | |||||
| CVE-2018-15424 | 1 Cisco | 1 Identity Services Engine | 2020-09-16 | 6.5 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. | |||||
| CVE-2020-4703 | 1 Ibm | 1 Spectrum Protect Plus | 2020-09-16 | 6.0 MEDIUM | 8.0 HIGH |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. This vulnerability is due to an incomplete fix for CVE-2020-4470. IBM X-Force ID: 187188. | |||||
| CVE-2020-24195 | 1 Online Bike Rental Project | 1 Online Bike Rental | 2020-09-15 | 6.5 MEDIUM | 9.1 CRITICAL |
| An Arbitrary File Upload in the Upload Image component in Sourcecodester Online Bike Rental v1.0 allows authenticated administrator to conduct remote code execution. | |||||
| CVE-2019-11447 | 1 Cutephp | 1 Cutenews | 2020-09-11 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.) | |||||
| CVE-2020-23829 | 1 Librehealth | 1 Librehealth Ehr | 2020-09-10 | 6.5 MEDIUM | 8.8 HIGH |
| interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously crafted image. | |||||
| CVE-2020-6288 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-09-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) allows an attacker with edit document rights to upload any file (including script files) without proper file format validation leading to Unrestricted upload of file with dangerous type vulnerability. The attacker can modify some formulas and display erroneous content. The server is not affected only the current user browser session, that can easily be closed. | |||||
| CVE-2020-24199 | 1 Projectworlds | 1 Car Rental Project | 2020-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary File Upload in the Vehicle Image Upload component in Project Worlds Car Rental Management System v1.0 allows attackers to conduct remote code execution. | |||||
| CVE-2020-23972 | 1 Gmapfp | 1 Gmapfp | 2020-09-09 | 5.0 MEDIUM | 7.5 HIGH |
| In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions. | |||||
| CVE-2019-7816 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 2 and earlier, Update 9 and earlier, and Update 17 and earlier have a file upload restriction bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-7838 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a file extension blacklist bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2020-24196 | 1 Online Bike Rental Project | 1 Online Bike Rental | 2020-09-02 | 6.5 MEDIUM | 7.2 HIGH |
| An Arbitrary File Upload in Vehicle Image Upload in Online Bike Rental v1.0 allows authenticated admin to conduct remote code execution. | |||||
| CVE-2020-24202 | 1 Projectworlds | 1 House Rental And Property Listing Project | 2020-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| File Upload component in Projects World House Rental v1.0 suffers from an arbitrary file upload vulnerability with regular users, which allows remote attackers to conduct code execution. | |||||
| CVE-2020-7055 | 1 Elementor | 1 Elementor Page Builder | 2020-08-25 | 9.0 HIGH | 9.9 CRITICAL |
| An issue was discovered in Elementor 2.7.4. Arbitrary file upload is possible in the Elementor Import Templates function, allowing an attacker to execute code via a crafted ZIP archive. | |||||