Total
3183 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53345 | 2025-01-07 | 8.8 High | ||
| An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-21624 | 2025-01-07 | 9.8 Critical | ||
| ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239. | ||||
| CVE-2023-33498 | 1 Alist Project | 1 Alist | 2025-01-07 | 8.8 High |
| alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | ||||
| CVE-2023-33601 | 1 Phpok | 1 Phpok | 2025-01-07 | 8.8 High |
| An arbitrary file upload vulnerability in /admin.php?c=upload of phpok v6.4.100 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2024-43243 | 2025-01-07 | 10 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGlow JobBoard Job listing allows Upload a Web Shell to a Web Server.This issue affects JobBoard Job listing: from n/a through 1.2.6. | ||||
| CVE-2024-56829 | 2025-01-06 | 10 Critical | ||
| Huang Yaoshi Pharmaceutical Management Software through 16.0 allows arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to /XSDService.asmx. | ||||
| CVE-2023-34747 | 1 Ujcms | 1 Ujcms | 2025-01-06 | 9.8 Critical |
| File upload vulnerability in ujcms 6.0.2 via /api/backend/core/web-file-upload/upload. | ||||
| CVE-2023-27881 | 1 Ptc | 1 Vuforia Studio | 2025-01-06 | 8 High |
| A user could use the “Upload Resource” functionality to upload files to any location on the disk. | ||||
| CVE-2024-11211 | 1 Eyoucms | 1 Eyoucms | 2025-01-06 | 4.7 Medium |
| A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Affected is an unknown function of the component Website Logo Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-13134 | 2025-01-06 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-13133 | 2025-01-06 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-13144 | 2025-01-06 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-13145 | 2025-01-06 | 6.3 Medium | ||
| A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-33253 | 1 Agilebio | 1 Labcollector | 2025-01-03 | 8.8 High |
| LabCollector 6.0 though 6.15 allows remote code execution. An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The vulnerability is in the message function, and is due to insufficient validation of the file (such as shell.jpg.php.shell) being sent. | ||||
| CVE-2024-55078 | 2025-01-03 | 9.8 Critical | ||
| An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2023-31541 | 1 Ckeditor | 1 Ckeditor | 2025-01-03 | 9.8 Critical |
| A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server. | ||||
| CVE-2023-3049 | 1 Tmtmakine | 2 Lockcell, Lockcell Firmware | 2025-01-03 | 9.8 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in TMT Lockcell allows Command Injection.This issue affects Lockcell: before 15. | ||||
| CVE-2024-53677 | 2025-01-03 | 9.0 Critical | ||
| File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 | ||||
| CVE-2023-34944 | 1 Chamilo | 1 Chamilo Lms | 2025-01-03 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file. | ||||
| CVE-2024-27923 | 1 Getgrav | 1 Grav | 2025-01-02 | 8.8 High |
| Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue. | ||||