Total
3249 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0499 | 1 Sermon Browser Project | 1 Sermon Browser | 2024-11-21 | 8.8 High |
| The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. | ||||
| CVE-2022-0472 | 1 Laracom Project | 1 Laracom | 2024-11-21 | 5.4 Medium |
| Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9. | ||||
| CVE-2022-0440 | 1 Catchplugins | 1 Catch Themes Demo Import | 2024-11-21 | 7.2 High |
| The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true) | ||||
| CVE-2022-0415 | 1 Gogs | 1 Gogs | 2024-11-21 | 8.8 High |
| Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6. | ||||
| CVE-2022-0409 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 7.8 High |
| Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2. | ||||
| CVE-2022-0403 | 1 Wpjos | 1 Library File Manager | 2024-11-21 | 8.1 High |
| The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders. | ||||
| CVE-2022-0263 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 7.8 High |
| Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7. | ||||
| CVE-2022-0242 | 1 Craterapp | 1 Crater | 2024-11-21 | 7.2 High |
| Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0. | ||||
| CVE-2021-4436 | 1 Wp3dprinting | 1 3dprint Lite | 2024-11-21 | 9.8 Critical |
| The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache. | ||||
| CVE-2021-4225 | 2 Microsoft, Smartypantsplugins | 2 Windows, Sp Project \& Document Manager | 2024-11-21 | 8.8 High |
| The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites. | ||||
| CVE-2021-4080 | 1 Craterapp | 1 Crater | 2024-11-21 | 8.8 High |
| crater is vulnerable to Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2021-46428 | 1 Simple Chatbot Application Project | 1 Simple Chatbot Application | 2024-11-21 | 9.8 Critical |
| A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 ( and previous versions via the bot_avatar parameter in SystemSettings.php. | ||||
| CVE-2021-46386 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 9.8 Critical |
| File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload. | ||||
| CVE-2021-46367 | 1 Ritecms | 1 Ritecms | 2024-11-21 | 7.2 High |
| RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default. | ||||
| CVE-2021-46360 | 1 Ocproducts | 1 Composr | 2024-11-21 | 8.8 High |
| Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr. | ||||
| CVE-2021-46116 | 1 Jpress | 1 Jpress | 2024-11-21 | 7.2 High |
| jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code. | ||||
| CVE-2021-46115 | 1 Jpress | 1 Jpress | 2024-11-21 | 7.2 High |
| jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile. The admin panel provides a function through which attackers can upload templates and inject some malicious code. | ||||
| CVE-2021-46113 | 1 Kea-hotel-erp Project | 1 Kea-hotel-erp | 2024-11-21 | 8.8 High |
| In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service. | ||||
| CVE-2021-46097 | 1 Dolphinphp | 1 Dolphinphp | 2024-11-21 | 8.8 High |
| Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log | ||||
| CVE-2021-46079 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2024-11-21 | 7.2 High |
| An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection. | ||||