Total
3256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6931 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. | |||||
| CVE-2017-3189 | 1 Dotcms | 1 Dotcms | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files which the bundle contains. This vulnerability combined with the path traversal vulnerability (CVE-2017-3188) can lead to remote command execution with the permissions of the user running the dotCMS application. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application. | |||||
| CVE-2017-20063 | 1 Elefantcms | 1 Elefant Cms | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classified as critical. Affected is an unknown function of the file /filemanager/upload/drop of the component File Upload. The manipulation leads to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20021 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in Solare Solar-Log 2.8.4-56/3.5.2-85. This affects an unknown part of the component File Upload. The manipulation leads to privilege escalation. It is possible to initiate the attack remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-1499 | 1 Ibm | 2 Maximo Asset Management, Maximo Asset Management Essentials | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker to include arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable Web server. IBM X-Force ID: 129106. | |||||
| CVE-2017-18592 | 1 Wc-marketplace | 1 Wc Catalog Enquiry | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads. | |||||
| CVE-2017-18435 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| cPanel before 64.0.21 allows demo accounts to execute code via the BoxTrapper API (SEC-238). | |||||
| CVE-2017-18048 | 1 Monstra | 1 Monstra | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not. | |||||
| CVE-2017-17976 | 1 Perfexcrm | 1 Perfex Crm | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution. | |||||
| CVE-2017-16736 | 1 Advantech | 1 Webaccess | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An Unrestricted Upload Of File With Dangerous Type issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows a remote attacker to upload arbitrary files. | |||||
| CVE-2017-16251 | 1 Mitel | 1 St14.2 | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the conferencing component of Mitel ST 14.2, release GA28 and earlier, could allow an authenticated user to upload a malicious script to the Personal Library by a crafted POST request. Successful exploit could allow an attacker to execute arbitrary code within the context of the application. | |||||
| CVE-2017-15549 | 1 Emc | 3 Avamar Server, Integrated Data Protection Appliance, Networker | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0; EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x; and EMC Integrated Data Protection Appliance 2.0. A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system. | |||||
| CVE-2017-14521 | 1 Wondercms | 1 Wondercms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload. | |||||
| CVE-2017-11561 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell. | |||||
| CVE-2016-9492 | 1 Jqueryform | 1 Php Formmail Generator | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename. | |||||
| CVE-2016-8515 | 1 Hp | 1 Version Control Repository Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A remote malicious file upload vulnerability in HPE Version Control Repository Manager (VCRM) was found. The problem impacts all versions prior to 7.6. | |||||
| CVE-2016-7443 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location." | |||||
| CVE-2016-6918 | 1 Lexmark | 1 Markvision Enterprise | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attackers to execute arbitrary commands by uploading files. ( | |||||
| CVE-2016-15033 | 1 Delete All Comments Project | 1 Delete All Comments | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the delete-all-comments.php file in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | |||||
| CVE-2016-11020 | 1 Kunena | 1 Kunena | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution. | |||||