Total
3250 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18320 | 1 Siemens | 1 Sppa-t3000 Application Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). An attacker with network access to the Application Server could be able to upload arbitrary files without authentication. Please note that an attacker needs to have network access to the Application Server in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-18313 | 1 Siemens | 1 Sppa-t3000 Ms3000 Migration Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server could gain remote code execution by sending specifically crafted objects to one of the RPC services. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-18288 | 1 Siemens | 1 Sppa-t3000 Application Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). An attacker with valid authentication at the RMI interface could be able to gain remote code execution through an unsecured file upload. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-18204 | 1 Zucchetti | 1 Infobusiness | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Zucchetti InfoBusiness before and including 4.4.1 allows any authenticated user to upload .php files in order to achieve code execution. | |||||
| CVE-2019-17536 | 1 Gilacms | 1 Gila Cms | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move. | |||||
| CVE-2019-17490 | 1 Jnoj | 1 Jiangnan Online Judge | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| app\modules\polygon\controllers\ProblemController in Jiangnan Online Judge (aka jnoj) 0.8.0 allows arbitrary file upload, as demonstrated by PHP code (with a .php filename but the image/png content type) to the web/polygon/problem/tests URI. | |||||
| CVE-2019-17403 | 1 Nokia | 1 Impact | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. | |||||
| CVE-2019-17352 | 1 Jfinal | 1 Jfinal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions. | |||||
| CVE-2019-17325 | 1 Clipsoft | 1 Rexpert | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to upload arbitrary local file via the ActiveX method in RexViewerCtrl30.ocx. That could lead to disclosure of sensitive information. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. | |||||
| CVE-2019-17188 | 1 Fecmall | 1 Fecmall | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An unrestricted file upload vulnerability was discovered in catalog/productinfo/imageupload in Fecshop FecMall 2.3.4. An attacker can bypass a front-end restriction and upload PHP code to the webserver, by providing image data and the image/jpeg content type, with a .php extension. This occurs because the code relies on the getimagesize function. | |||||
| CVE-2019-17058 | 1 Footy | 1 Tipping Software | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Footy Tipping Software AFL Web Edition 2019 allows arbitrary file upload and resultant remote code execution because a whitelist can be bypassed by an Administrator who uploads a crafted upload.dat file. | |||||
| CVE-2019-17046 | 1 Ilch | 1 Ilch Cms | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Ilch 2.1.22 allows remote code execution because php is listed under "Allowed files" on the index.php/admin/media/settings/index page. | |||||
| CVE-2019-16790 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted. | |||||
| CVE-2019-16720 | 1 Zzzcms | 1 Zzzphp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file. | |||||
| CVE-2019-16700 | 1 Slub-dresden | 1 Slub Events | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The slub_events (aka SLUB: Event Registration) extension through 3.0.2 for TYPO3 allows uploading of arbitrary files to the webserver. For versions 1.2.2 and below, this results in Remote Code Execution. In versions later than 1.2.2, this can result in Denial of Service, since the web space can be filled up with arbitrary files. | |||||
| CVE-2019-16530 | 1 Sonatype | 2 Nexus Iq Server, Nexus Repository Manager | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution. | |||||
| CVE-2019-16514 | 1 Connectwise | 1 Control | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server. | |||||
| CVE-2019-16318 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317. | |||||
| CVE-2019-16192 | 1 Doccms | 1 Doccms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| upload_model() in /admini/controllers/system/managemodel.php in DocCms 2016.5.17 allow remote attackers to execute arbitrary PHP code through module management files, as demonstrated by a .php file in a ZIP archive. | |||||
| CVE-2019-16131 | 1 Phpok | 1 Oklite | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary File Upload Vulnerability because a .php file from a ZIP archive can be written to /data/cache/. | |||||