Total
3319 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29641 | 1 Rangerstudio | 1 Directus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com). | |||||
| CVE-2021-29377 | 1 Pearadmin | 1 Pearadmin Think | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Pear Admin Think through 2.1.2 has an arbitrary file upload vulnerability that allows attackers to execute arbitrary code remotely. A .php file can be uploaded via admin.php/index/upload because app/common/service/UploadService.php mishandles fileExt. | |||||
| CVE-2021-29281 | 1 Gfi | 1 Archiver | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317. | |||||
| CVE-2021-29092 | 1 Synology | 1 Photo Station | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2021-29022 | 1 Invoiceplane | 1 Invoiceplane | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory. | |||||
| CVE-2021-28976 | 1 Get-simple | 1 Getsimplecms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess. | |||||
| CVE-2021-28931 | 1 Fork-cms | 1 Fork Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel. | |||||
| CVE-2021-28428 | 1 Horizontcms Project | 1 Horizontcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE. | |||||
| CVE-2021-28379 | 2 Myvestacp, Vestacp | 2 Myvesta, Vesta Control Panel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin. | |||||
| CVE-2021-28294 | 1 Online Ordering System Project | 1 Online Ordering System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Online Ordering System 1.0 is vulnerable to arbitrary file upload through /onlineordering/GPST/store/initiateorder.php, which may lead to remote code execution (RCE). | |||||
| CVE-2021-28173 | 1 Deltaflow Project | 1 Deltaflow | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The file upload function of Vangene deltaFlow E-platform does not perform access controlled properly. Remote attackers can upload and execute arbitrary files without login. | |||||
| CVE-2021-28023 | 1 Servicetonic | 1 Servicetonic | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths. | |||||
| CVE-2021-27984 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files. | |||||
| CVE-2021-27964 | 1 Sfcyazilim | 1 Sonlogger | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file. | |||||
| CVE-2021-27817 | 1 Shopxo | 1 Shopxo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix. | |||||
| CVE-2021-27771 | 1 Hcltech | 1 Sametime | 2024-11-21 | 6.5 MEDIUM | 8.2 HIGH |
| User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files. | |||||
| CVE-2021-27618 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check the file type extension of the file uploaded from local source. An attacker could craft a malicious file and upload it to the application, which could lead to denial of service and impact the availability of the application. | |||||
| CVE-2021-27513 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside." | |||||
| CVE-2021-27489 | 1 Zoll | 1 Defibrillator Dashboard | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands. | |||||
| CVE-2021-27459 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The webserver of the affected products allows unvalidated files to be uploaded, which an attacker could utilize to execute arbitrary code. | |||||