Total
3448 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1002000 | 1 Mobile-friendly-app-builder-by-easytouch Project | 1 Mobile-friendly-app-builder-by-easytouch | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content. | |||||
| CVE-2014-9312 | 1 10web | 1 Photo Gallery | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. | |||||
| CVE-2017-14346 | 1 Blog Project | 1 Blog | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file. | |||||
| CVE-2014-2664 | 1 X2engine | 1 X2crm | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2017-6041 | 1 Marel | 44 A320, A320 Firmware, A325 and 41 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An Unrestricted Upload issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single Cam v132, P520, P574, SensorX13 QC flow line, SensorX23 QC Master, SensorX23 QC Slave, Speed Batcher, T374, T377, V36, V36B, and V36C; M3210 terminal associated with the same systems as the M3000 terminal identified above; M3000 desktop software associated with the same systems as the M3000 terminal identified above; MAC4 controller associated with the same systems as the M3000 terminal identified above; SensorX23 X-ray machine; SensorX25 X-ray machine; and MWS2 weighing system. This vulnerability allows an attacker to modify the operation and upload firmware changes without detection. | |||||
| CVE-2017-1000081 | 1 Onosproject | 1 Onos | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution. | |||||
| CVE-2017-9080 | 1 Playsms | 1 Playsms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection. | |||||
| CVE-2015-2780 | 1 Berta | 1 Berta Cms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2017-17593 | 1 Simple Chatting System Project | 1 Simple Chatting System | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_profile.php, which places files under uploads/. | |||||
| CVE-2017-1002008 | 1 Membership Simplified Project | 1 Membership Simplified | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges. | |||||
| CVE-2017-14839 | 1 Teamworktec | 1 Photo Fusion | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover. | |||||
| CVE-2014-9619 | 1 Netsweeper | 1 Netsweeper | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to execute arbitrary PHP code by uploading a file with a double extension, then accessing it via a direct request to the file in webadmin/deny/images/, as demonstrated by secuid0.php.gif. | |||||
| CVE-2017-14399 | 1 Blackcat-cms | 1 Blackcat Cms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php. | |||||
| CVE-2017-12929 | 1 Tecnovision | 1 Dlx Spot Player4 | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. | |||||
| CVE-2011-4334 | 1 Labwiki Project | 1 Labwiki | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter. | |||||
| CVE-2017-9380 | 1 Open-emr | 1 Openemr | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. | |||||
| CVE-2017-9840 | 1 Dolibarr | 1 Dolibarr | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. | |||||
| CVE-2017-9364 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. | |||||
| CVE-2017-15054 | 1 Teampass | 1 Teampass | 2025-04-20 | 6.5 MEDIUM | 7.5 HIGH |
| An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file. From there, it can simply access the file to execute code on the server. | |||||
| CVE-2017-8080 | 1 Atlassian | 1 Hipchat Server | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads. | |||||