Total
2765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25003 | 1 Wptaskforce | 1 Wpcargo Track \& Trace | 2022-10-25 | 7.5 HIGH | 9.8 CRITICAL |
| The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE | |||||
| CVE-2022-39305 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2022-10-24 | N/A | 9.8 CRITICAL |
| Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fails to validate fileMd5 and fileName parameters, resulting in an arbitrary file being read. This issue is patched in 2.5.4b. There are no known workarounds. | |||||
| CVE-2021-22858 | 1 Changjia Property Management System Project | 1 Changjia Property Management System | 2022-10-24 | 6.5 MEDIUM | 8.8 HIGH |
| Attackers can access the CGE account management function without privilege for permission elevation and execute arbitrary commands or files after obtaining user permissions. | |||||
| CVE-2019-7669 | 1 Primasystems | 1 Flexair | 2022-10-21 | 9.0 HIGH | 8.8 HIGH |
| Prima Systems FlexAir, Versions 2.3.38 and prior. Improper validation of file extensions when uploading files could allow a remote authenticated attacker to upload and execute malicious applications within the application’s web root with root privileges. | |||||
| CVE-2020-27387 | 1 Horizontcms Project | 1 Horizontcms | 2022-10-19 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta. | |||||
| CVE-2019-8992 | 1 Tibco | 5 Activematrix Bpm, Activematrix Policy Director, Activematrix Service Bus and 2 more | 2022-10-14 | 6.5 MEDIUM | 8.8 HIGH |
| The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives ("Upload DAA" permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1. | |||||
| CVE-2019-7257 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2022-10-14 | 7.5 HIGH | 10.0 CRITICAL |
| Linear eMerge E3-Series devices allow Unrestricted File Upload. | |||||
| CVE-2019-7268 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2022-10-13 | 10.0 HIGH | 10.0 CRITICAL |
| Linear eMerge 50P/5000P devices allow Unauthenticated File Upload. | |||||
| CVE-2019-7274 | 1 Optergy | 2 Enterprise, Proton | 2022-10-13 | 10.0 HIGH | 9.8 CRITICAL |
| Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root. | |||||
| CVE-2022-40777 | 1 Interspire | 1 Email Marketer | 2022-10-13 | N/A | 8.8 HIGH |
| Interspire Email Marketer through 6.5.0 allows arbitrary file upload via a surveys_submit.php "create survey and submit survey" operation, which can cause a .php file to be accessible under a /admin/temp/surveys/ URI. NOTE: this issue exists because of an incomplete fix for CVE-2018-19550. | |||||
| CVE-2022-40921 | 1 Dedecms | 1 Dedecms | 2022-10-13 | N/A | 7.2 HIGH |
| DedeCMS V5.7.99 was discovered to contain an arbitrary file upload vulnerability via the component /dede/file_manage_control.php. | |||||
| CVE-2022-41379 | 1 Online Leave Management System Project | 1 Online Leave Management System | 2022-10-11 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in the component /leave_system/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-41512 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2022-10-09 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2020-8866 | 2 Debian, Horde | 3 Debian Linux, Groupware, Horde Form | 2022-10-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125. | |||||
| CVE-2022-36066 | 1 Discourse | 1 Discourse | 2022-10-06 | N/A | 7.2 HIGH |
| Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2022-3125 | 1 Najeebmedia | 1 Frontend File Manager | 2022-10-04 | N/A | 8.8 HIGH |
| The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE | |||||
| CVE-2022-40886 | 1 Dedecms | 1 Dedecms | 2022-10-04 | N/A | 7.2 HIGH |
| DedeCMS 5.7.98 has a file upload vulnerability in the background. | |||||
| CVE-2020-4588 | 2 Ibm, Microsoft | 2 I2 Ibase, Windows | 2022-09-30 | 6.8 MEDIUM | 7.8 HIGH |
| IBM i2 iBase 8.9.13 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 184579. | |||||
| CVE-2021-45790 | 1 Metersphere | 1 Metersphere | 2022-09-30 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands. | |||||
| CVE-2021-24284 | 1 Kaswara Project | 1 Kaswara | 2022-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. | |||||