Total
2982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9660 | 2024-11-23 | N/A | 8.8 HIGH | ||
| The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_load_documets_new() and mj_smgt_load_documets() functions in all versions up to, and including, 91.5.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-9659 | 2024-11-23 | N/A | 9.8 CRITICAL | ||
| The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_user_avatar_image_upload() function in all versions up to, and including, 91.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-50652 | 1 Geeeeeeeek | 1 Java Shop | 2024-11-22 | N/A | 4.3 MEDIUM |
| A file upload vulnerability in java_shop 1.0 allows attackers to upload arbitrary files by modifying the avatar function. | |||||
| CVE-2024-8856 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-8525 | 2024-11-21 | N/A | N/A | ||
| An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file. | |||||
| CVE-2024-11404 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| Unrestricted Upload of File with Dangerous Type, Improper Input Validation, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS.This issue affects django Filer: from 3 before 3.3. | |||||
| CVE-2024-7277 | 1 Itsourcecode | 1 Alton Management System | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in itsourcecode Alton Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/menu.php of the component Add a Menu. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-273146 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-7192 | 1 Angeljudesuarez | 1 Society Management System | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/student.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272613 was assigned to this vulnerability. | |||||
| CVE-2024-7189 | 1 Kevinwong | 1 Online Food Ordering System | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in itsourcecode Online Food Ordering System 1.0. Affected is an unknown function of the file editproduct.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272610 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-6958 | 1 Angeljudesuarez | 1 University Management System | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /st_update.php of the component Avatar File Handler. The manipulation of the argument personal_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272080. | |||||
| CVE-2024-6948 | 1 Gargaj | 1 Wuhu | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in Gargaj wuhu up to 3faad49bfcc3895e9ff76a591d05c8941273d120. Affected is an unknown function of the file /slideeditor.php of the component Slide Editor. The manipulation of the argument newSlideFile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. VDB-272070 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-6945 | 1 Flute-cms | 1 Flute | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067. | |||||
| CVE-2024-6828 | 2024-11-21 | N/A | 7.2 HIGH | ||
| The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution. | |||||
| CVE-2024-6801 | 1 Online Student Management System Project | 1 Online Student Management System | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in SourceCodester Online Student Management System 1.0. This issue affects some unknown processing of the file /add-students.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271703. | |||||
| CVE-2024-6756 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-11-21 | N/A | 8.8 HIGH |
| The Social Auto Poster plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpw_auto_poster_get_image_path' function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. An attacker can use CVE-2024-6754 to exploit with subscriber-level access. | |||||
| CVE-2024-6730 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Nanjing Xingyuantu Technology SparkShop up to 1.1.6. It has been rated as critical. This issue affects some unknown processing of the file /api/Common/uploadFile. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271403. | |||||
| CVE-2024-6707 | 2 Debian, Openwebui | 2 Debian Linux, Open Webui | 2024-11-21 | N/A | 8.8 HIGH |
| Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. | |||||
| CVE-2024-6647 | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in Croogo up to 4.0.7. This affects an unknown part of the file admin/settings/settings/prefix/Theme of the component Setting Handler. The manipulation of the argument Content-Type leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271053 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-6595 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.0 LOW |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data. | |||||
| CVE-2024-6439 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270167. | |||||