Total
3084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16941 | 1 Octobercms | 1 October | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering. | |||||
| CVE-2015-4463 | 1 Efrontlearning | 1 Efront | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL. | |||||
| CVE-2015-3884 | 1 Qdpm | 1 Qdpm | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/. | |||||
| CVE-2017-14251 | 1 Typo3 | 1 Typo3 | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code. | |||||
| CVE-2017-6090 | 1 Phpcollab | 1 Phpcollab | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/. | |||||
| CVE-2017-15876 | 1 Sistemagpweb | 1 Gpweb | 2025-04-20 | 9.0 HIGH | 7.2 HIGH |
| Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote authenticated users to upload any type of file, including a PHP shell. | |||||
| CVE-2016-6104 | 1 Ibm | 1 Security Key Lifecycle Manager | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute arbitrary code on the vulnerable system. | |||||
| CVE-2017-11756 | 1 Earcms | 1 Ear Music | 2025-04-20 | 6.0 MEDIUM | 7.0 HIGH |
| In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and .m4a in admin.php?iframe=config_upload, and then using user.php/music/add/ to upload the code. | |||||
| CVE-2013-7426 | 1 Kamailio | 1 Kamailio | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Insecure Temporary file vulnerability in /tmp/kamailio_fifo in kamailio 4.0.1. | |||||
| CVE-2017-9101 | 1 Playsms | 1 Playsms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file. | |||||
| CVE-2017-7695 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. | |||||
| CVE-2017-1002002 | 1 Webapp-builder Project | 1 Webapp-builder | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/ | |||||
| CVE-2017-15962 | 1 Istock Management System Project | 1 Istock Management System | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| iStock Management System 1.0 allows Arbitrary File Upload via user/profile. | |||||
| CVE-2017-14123 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. | |||||
| CVE-2017-1002001 | 1 Mobile-app-builder-by-wappress Project | 1 Mobile-app-builder-by-wappress | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. | |||||
| CVE-2017-15673 | 1 Cs-cart | 1 Cs-cart | 2025-04-20 | 9.0 HIGH | 7.2 HIGH |
| The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. | |||||
| CVE-2017-6104 | 1 Zen Mobile App Native Project | 1 Zen Mobile App Native | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. | |||||
| CVE-2017-15957 | 1 Ingenious School Management System Project | 1 Ingenious School Management System | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file. | |||||
| CVE-2017-12678 | 2 Debian, Taglib | 2 Debian Linux, Taglib | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file. | |||||
| CVE-2017-2737 | 1 Huawei | 2 Vcm5010, Vcm5010 Firmware | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| VCM5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system. | |||||