Total
3110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36042 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution. | |||||
| CVE-2021-36040 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution. | |||||
| CVE-2021-35963 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks. | |||||
| CVE-2021-35532 | 1 Hitachienergy | 2 Txpert Hub Coretec 4, Txpert Hub Coretec 4 Firmware | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability exists in the file upload validation part of Hitachi Energy TXpert Hub CoreTec 4 product. The vulnerability allows an attacker or malicious agent who manages to gain access to the system and obtain an account with sufficient privilege to upload a malicious firmware to the product. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0; 2.0.1; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1. | |||||
| CVE-2021-35290 | 1 Balero Cms Project | 1 Balero Cms | 2024-11-21 | N/A | 7.2 HIGH |
| File Upload vulnerability in balerocms-src 0.8.3 allows remote attackers to run arbitrary code via rich text editor on /admin/main/mod-blog page. | |||||
| CVE-2021-35244 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2024-11-21 | 8.5 HIGH | 6.8 MEDIUM |
| The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution. | |||||
| CVE-2021-34997 | 1 Commvault | 1 Commcell | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AppStudioUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-13894. | |||||
| CVE-2021-34995 | 1 Commvault | 1 Commcell | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DownloadCenterUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-13756. | |||||
| CVE-2021-34685 | 1 Hitachi | 1 Vantara Pentaho | 2024-11-21 | 6.5 MEDIUM | 2.7 LOW |
| UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution). | |||||
| CVE-2021-34624 | 1 Properfraction | 1 Profilepress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. . | |||||
| CVE-2021-34623 | 1 Properfraction | 1 Profilepress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. . | |||||
| CVE-2021-34551 | 3 Fedoraproject, Microsoft, Phpmailer Project | 3 Fedora, Windows, Phpmailer | 2024-11-21 | 5.1 MEDIUM | 8.1 HIGH |
| PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. | |||||
| CVE-2021-34427 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance. | |||||
| CVE-2021-34257 | 1 Wpanel Cms Project | 1 Wpanel Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image. | |||||
| CVE-2021-34128 | 1 Laiketui | 1 Laiketui | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| LaikeTui 3.5.0 allows remote authenticated users to execute arbitrary PHP code by using index.php?module=system&action=pay to upload a ZIP archive containing a .php file, as demonstrated by the ../../../../phpinfo.php pathname. | |||||
| CVE-2021-34074 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. | |||||
| CVE-2021-33884 | 1 Bbraun | 3 Infusomat Large Volume Pump 871305u, Spacecom2, Spacestation 8713142u | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| An Unrestricted Upload of File with Dangerous Type vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API. This can result in critical files being overwritten. | |||||
| CVE-2021-33828 | 1 Owncloud | 1 Files Antivirus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection. | |||||
| CVE-2021-33698 | 1 Sap | 1 Business One | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation. | |||||
| CVE-2021-33615 | 1 Rsa | 1 Archer | 2024-11-21 | 8.5 HIGH | 7.5 HIGH |
| RSA Archer 6.8.00500.1003 P5 allows Unrestricted Upload of a File with a Dangerous Type. | |||||