Total
2975 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36082 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module. | |||||
| CVE-2020-36079 | 1 Zenphoto | 1 Zenphoto | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has "lots of other possibilities to harm a site. | |||||
| CVE-2020-35949 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file. | |||||
| CVE-2020-35945 | 1 Elegant Themes | 3 Divi, Divi Builder, Divi Extra | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side. | |||||
| CVE-2020-35797 | 1 Netgear | 2 Nms300, Nms300 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker. | |||||
| CVE-2020-35760 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files). | |||||
| CVE-2020-35657 | 1 Jaws Project | 1 Jaws | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product. | |||||
| CVE-2020-35656 | 1 Jaws Project | 1 Jaws | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product. | |||||
| CVE-2020-35627 | 1 Woocommerce | 1 Gift Cards | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server. | |||||
| CVE-2020-35489 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | |||||
| CVE-2020-35442 | 1 Fangfa | 1 Fdcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FDCMS (also known as Fangfa Content Management System) 4.0 allows remote attackers to get a webshell in the background via Front/lib/Action/FindexAction.class.php. | |||||
| CVE-2020-35133 | 1 Irfanview | 1 Irfanview | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| irfanView 4.56 contains an error processing parsing files of type .pcx. Which leads to out-of-bounds writing at i_view32+0xdb60. | |||||
| CVE-2020-2730 | 1 Oracle | 1 Revenue Management And Billing | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-29597 | 1 Incomcms Project | 1 Incomcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server. | |||||
| CVE-2020-29592 | 1 Orchardproject | 1 Orchard | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor's file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings). | |||||
| CVE-2020-29450 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. | |||||
| CVE-2020-29447 | 1 Atlassian | 1 Crucible | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. | |||||
| CVE-2020-29441 | 1 Outsystems | 1 Outsystems | 2024-11-21 | 6.4 MEDIUM | 7.2 HIGH |
| An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronously, or deny access to legitimate uploaded files. | |||||
| CVE-2020-29176 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file. | |||||
| CVE-2020-29032 | 1 Secomea | 2 Gatemanager 8250, Gatemanager 8250 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.4 HIGH |
| Upload of Code Without Integrity Check vulnerability in firmware archive of Secomea GateManager allows authenticated attacker to execute malicious code on server. This issue affects: Secomea GateManager all versions prior to 9.4.621054022 | |||||