Total
2975 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21344 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2024-11-21 | 7.5 HIGH | 5.3 MEDIUM |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21245 | 1 Onedev Project | 1 Onedev | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder. | |||||
| CVE-2021-21131 | 2 Google, Microsoft | 2 Chrome, Edge Chromium | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |||||
| CVE-2021-21014 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. | |||||
| CVE-2021-20721 | 1 Kujirahand | 1 Konawiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| KonaWiki2 versions prior to 2.2.4 allows a remote attacker to upload arbitrary files via unspecified vectors. If the file contains PHP scripts, arbitrary code may be executed. | |||||
| CVE-2021-20659 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to upload arbitrary files via unspecified vectors. If the file is PHP script, an attacker may execute arbitrary code. | |||||
| CVE-2021-20131 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface. | |||||
| CVE-2021-20130 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface. | |||||
| CVE-2021-20125 | 1 Draytek | 1 Vigorconnect | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. An unauthenticated attacker could leverage this vulnerability to upload files to any location on the target operating system with root privileges. | |||||
| CVE-2021-20104 | 1 Machform | 1 Machform | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Machform prior to version 16 is vulnerable to unauthenticated remote code execution due to insufficient sanitization of file attachments uploaded with forms through upload.php. | |||||
| CVE-2020-9472 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality. | |||||
| CVE-2020-9471 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality. | |||||
| CVE-2020-9423 | 1 Logicaldoc | 1 Logicaldoc | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database. LogicalDoc provides a functionality to add documents. Those documents could then be used for multiple tasks, such as version control, shared among users, applying tags, etc. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file in a restricted folder. This would lead to the executions of malicious commands with root privileges. | |||||
| CVE-2020-9380 | 1 Whmcssmarters | 1 Web Tv Player | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script. | |||||
| CVE-2020-9320 | 1 Avira | 8 Anti-malware Sdk, Antivirus Server, Avira Antivirus For Endpoint and 5 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK. NOTE: Vendor asserts that vulnerability does not exist in product | |||||
| CVE-2020-9309 | 1 Silverstripe | 2 Mimevalidator, Recipe | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected. | |||||
| CVE-2020-9280 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x. | |||||
| CVE-2020-8974 | 1 Zigor | 2 Zgr Tps200 Ng, Zgr Tps200 Ng Firmware | 2024-11-21 | N/A | 10.0 CRITICAL |
| In ZGR TPS200 NG 2.00 firmware version and 1.01 hardware version, the firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable. | |||||
| CVE-2020-8866 | 2 Debian, Horde | 3 Debian Linux, Groupware, Horde Form | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125. | |||||
| CVE-2020-8639 | 1 Testlink | 1 Testlink | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application. | |||||