Total
3096 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-28147 | 2024-11-21 | N/A | 7.4 HIGH | ||
| An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image (Stored Cross Site Scripting). It is also possible to upload SVG files that include nested XML entities. Those are parsed when a user visits the direct URL of the collection preview image, which may be utilized for a Denial of Service attack. This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19. | |||||
| CVE-2024-27957 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Pie Register.This issue affects Pie Register: from n/a through 3.8.3.1. | |||||
| CVE-2024-27903 | 1 Openvpn | 1 Openvpn | 2024-11-21 | N/A | 9.8 CRITICAL |
| OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | |||||
| CVE-2024-27733 | 2024-11-21 | N/A | 7.7 HIGH | ||
| File Upload vulnerability in Byzro Network Smart s42 Management Platform v.S42 allows a local attacker to execute arbitrary code via the useratte/userattestation.php component. | |||||
| CVE-2024-27311 | 1 Zohocorp | 1 Manageengine Ddi Central | 2024-11-21 | N/A | 5.5 MEDIUM |
| Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder. | |||||
| CVE-2024-25674 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | |||||
| CVE-2024-24551 | 2024-11-21 | N/A | N/A | ||
| A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | |||||
| CVE-2024-24550 | 2024-11-21 | N/A | N/A | ||
| A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | |||||
| CVE-2024-24202 | 1 Easycorp | 3 Zentao, Zentao Biz, Zentao Max | 2024-11-21 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file. | |||||
| CVE-2024-24024 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | N/A | 9.8 CRITICAL |
| An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download. | |||||
| CVE-2024-23946 | 1 Apache | 1 Ofbiz | 2024-11-21 | N/A | 5.3 MEDIUM |
| Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | |||||
| CVE-2024-23811 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution. | |||||
| CVE-2024-23630 | 1 Motorola | 2 Mr2600, Mr2600 Firmware | 2024-11-21 | 7.7 HIGH | 9.0 CRITICAL |
| An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed. | |||||
| CVE-2024-22550 | 1 Shopsite | 1 Shopsite | 2024-11-21 | N/A | 6.1 MEDIUM |
| An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. | |||||
| CVE-2024-22263 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server. | |||||
| CVE-2024-22152 | 1 Webtoffee | 1 Product Import Export For Woocommerce | 2024-11-21 | N/A | 8.0 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.3.7. | |||||
| CVE-2024-22135 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2024-11-21 | N/A | 8.0 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.3. | |||||
| CVE-2024-1659 | 1 Megabip | 1 Megabip | 2024-11-21 | N/A | 9.8 CRITICAL |
| Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10. | |||||
| CVE-2024-1268 | 1 Restaurant Pos System Project | 1 Restaurant Pos System | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in CodeAstro Restaurant POS System 1.0. This affects an unknown part of the file update_product.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253011. | |||||
| CVE-2024-1264 | 1 Juanpao | 1 Jpshop | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in Juanpao JPShop up to 1.5.02 and classified as critical. Affected by this vulnerability is the function actionUpdate of the file /api/controllers/common/UploadsController.php. The manipulation of the argument imgage leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253003. | |||||