Total
2765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1002016 | 1 Flickr Picture Backup Project | 1 Flickr Picture Backup | 2019-12-11 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files. | |||||
| CVE-2019-19684 | 1 Nopcommerce | 1 Nopcommerce | 2019-12-11 | 6.5 MEDIUM | 8.8 HIGH |
| nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | |||||
| CVE-2019-4612 | 1 Ibm | 1 Planning Analytics | 2019-12-11 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523. | |||||
| CVE-2019-19595 | 2 Adobe, Prestashop | 2 Stock Api Integration, Prestashop | 2019-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file. | |||||
| CVE-2019-19594 | 2 Adobe, Prestashop | 2 Stock Api Integration, Prestashop | 2019-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file. | |||||
| CVE-2019-4130 | 1 Ibm | 1 Cloud Pak System | 2019-12-09 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Cloud Pak System 2.3 and 2.3.0.1 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 158280. | |||||
| CVE-2019-19020 | 1 Titanhq | 1 Webtitan | 2019-12-09 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in TitanHQ WebTitan before 5.18. In the administration web interface it is possible to upload a crafted backup file that enables an attacker to execute arbitrary code by overwriting existing files or adding new PHP files under the web root. This requires the attacker to have access to a valid web interface account. | |||||
| CVE-2013-6234 | 1 Eng | 1 Spagobi | 2019-12-04 | 6.0 MEDIUM | 8.0 HIGH |
| Unrestricted file upload vulnerability in the Worksheet designer in SpagoBI before 4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, aka "XSS File Upload." | |||||
| CVE-2019-17403 | 1 Nokia | 1 Impact | 2019-12-04 | 6.5 MEDIUM | 8.8 HIGH |
| Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. | |||||
| CVE-2019-12271 | 1 Sandline | 1 Centraleyezer | 2019-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Sandline Centraleyezer (On Premises) allows unrestricted File Upload with a dangerous type, because the feature of adding ".jpg" to any uploaded filename is not enforced on the server side. | |||||
| CVE-2018-0587 | 1 Ultimatemember | 1 User Profile \& Membership | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors. | |||||
| CVE-2019-19084 | 1 Octopus | 1 Octopus Deploy | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details. | |||||
| CVE-2019-17058 | 1 Footy | 1 Tipping Software | 2019-11-20 | 6.5 MEDIUM | 9.1 CRITICAL |
| Footy Tipping Software AFL Web Edition 2019 allows arbitrary file upload and resultant remote code execution because a whitelist can be bypassed by an Administrator who uploads a crafted upload.dat file. | |||||
| CVE-2010-4661 | 5 Debian, Fedoraproject, Opensuse and 2 more | 5 Debian Linux, Fedora, Opensuse and 2 more | 2019-11-18 | 4.6 MEDIUM | 7.8 HIGH |
| udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules. | |||||
| CVE-2014-1214 | 1 Projoom | 1 Smart Flash Header | 2019-11-18 | 6.5 MEDIUM | 8.8 HIGH |
| views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component 3.0.2 and earlier for Joomla! allows remote attackers to upload and execute arbitrary files via a crafted (1) dest parameter and (2) arbitrary extension in the Filename parameter. | |||||
| CVE-2019-18952 | 1 Sibsoft | 1 Xfilesharing | 2019-11-15 | 7.5 HIGH | 9.8 CRITICAL |
| SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload. This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP. | |||||
| CVE-2019-12719 | 1 Auo | 1 Sunveillance Monitoring System \& Data Recorder | 2019-11-15 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Picture_Manage_mvc.aspx in AUO SunVeillance Monitoring System before v1.1.9e. There is an incorrect access control vulnerability that can allow an unauthenticated user to upload files via a modified authority parameter. | |||||
| CVE-2018-11091 | 1 Mybiz | 1 Myprocurenet | 2019-11-12 | 9.0 HIGH | 9.9 CRITICAL |
| An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as a legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server. | |||||
| CVE-2011-1134 | 1 S9y | 1 Serendipity | 2019-11-08 | 7.5 HIGH | 9.8 CRITICAL |
| Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager. | |||||
| CVE-2019-8140 | 1 Magento | 1 Magento | 2019-11-07 | 4.0 MEDIUM | 4.9 MEDIUM |
| An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file. | |||||