Total
2765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34692 | 1 Sap | 1 Enable Now | 2024-09-09 | N/A | 4.6 MEDIUM |
| Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application. | |||||
| CVE-2024-39865 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-09-09 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution. | |||||
| CVE-2022-2297 | 1 Oretnom23 | 1 Clinic\'s Patient Management System | 2024-09-07 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as critical, was found in SourceCodester Clinics Patient Management System 2.0. Affected is an unknown function of the file /pms/update_user.php?user_id=1. The manipulation of the argument profile_picture with the input <?php phpinfo();?> leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-5008 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE usingĀ Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController. | |||||
| CVE-2024-8164 | 1 Beikeshop | 1 Beikeshop | 2024-09-06 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. Affected by this issue is the function rename of the file /Admin/Http/Controllers/FileManagerController.php. The manipulation of the argument new_name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-7694 | 1 Teamt5 | 1 Threatsonar Anti-ransomware | 2024-09-06 | N/A | 7.2 HIGH |
| ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server. | |||||
| CVE-2024-6280 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-09-06 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/ajax.php?action=save_settings. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269493 was assigned to this vulnerability. | |||||
| CVE-2024-45076 | 1 Ibm | 1 Webmethods Integration | 2024-09-06 | N/A | 9.9 CRITICAL |
| IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system. | |||||
| CVE-2024-43249 | 1 Bitapps | 1 Bit Form | 2024-09-06 | N/A | 8.8 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4. | |||||
| CVE-2024-40645 | 1 Fogproject | 1 Fogproject | 2024-09-05 | N/A | 8.8 HIGH |
| FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41. | |||||
| CVE-2024-6945 | 1 Flute-cms | 1 Flute | 2024-09-05 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067. | |||||
| CVE-2023-41725 | 1 Ivanti | 1 Avalanche | 2024-09-05 | N/A | 7.8 HIGH |
| Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability | |||||
| CVE-2023-33480 | 1 Remoteclinic | 1 Remote Clinic | 2024-09-05 | N/A | 8.8 HIGH |
| RemoteClinic 2.0 contains a critical vulnerability chain that can be exploited by a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. The vulnerabilities are caused by a lack of input validation and access control in the staff/register.php endpoint and the edit-my-profile.php page. By sending a series of specially crafted requests to the RemoteClinic application, an attacker can create admin users with more privileges than their own, upload a PHP file containing arbitrary code, and execute arbitrary commands via the PHP shell. | |||||
| CVE-2024-8330 | 1 6shr System Project | 1 6shr System | 2024-09-05 | N/A | 8.8 HIGH |
| 6SHR system from Gether Technology does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload web shell scripts and use them to execute arbitrary system commands on the server. | |||||
| CVE-2023-6140 | 1 G5plus | 1 Essential Real Estate | 2024-09-04 | N/A | 8.8 HIGH |
| The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. | |||||
| CVE-2024-8342 | 1 Nelzkie15 | 1 Petshop Management System | 2024-09-04 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in SourceCodester Petshop Management System 1.0. This issue affects some unknown processing of the file /controllers/add_client.php. The manipulation of the argument image_profile leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8341 | 1 Nelzkie15 | 1 Pet Shop Management System | 2024-09-04 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in SourceCodester Petshop Management System 1.0. This vulnerability affects unknown code of the file /controllers/add_user.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-6756 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-09-03 | N/A | 8.8 HIGH |
| The Social Auto Poster plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpw_auto_poster_get_image_path' function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. An attacker can use CVE-2024-6754 to exploit with subscriber-level access. | |||||
| CVE-2024-7943 | 1 Adonesevangelista | 1 Laravel Property Management System | 2024-09-03 | N/A | 8.8 HIGH |
| A vulnerability was found in itsourcecode Laravel Property Management System 1.0 and classified as critical. This issue affects the function upload of the file PropertiesController.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-6117 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2024-08-30 | N/A | 8.8 HIGH |
| A Unrestricted upload of file with dangerous type vulnerability in meeting management function in Hamastar MeetingHub Paperless Meetings 2021 allows remote authenticated users to perform arbitrary system commands via a crafted ASP file. | |||||