Total
3489 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13241 | 1 Microweber | 1 Microweber | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User screen) corresponds to an image file. | |||||
| CVE-2020-13128 | 1 Gwtupload Project | 1 Gwtupload | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Manolo GWTUpload 1.0.3. server/UploadServlet.java (the servlet for handling file upload) accepts a delay parameter that causes a thread to sleep. It can be abused to cause all of a server's threads to sleep, leading to denial of service. | |||||
| CVE-2020-13126 | 1 Elementor | 1 Elementor Page Builder | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected. | |||||
| CVE-2020-12854 | 1 Seczetta | 1 Neprofile | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability was identified in SecZetta NEProfile 3.3.11. Authenticated remote adversaries can invoke code execution upon uploading a carefully crafted JPEG file as part of the profile avatar. | |||||
| CVE-2020-12846 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution. | |||||
| CVE-2020-12843 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used. | |||||
| CVE-2020-12837 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used. | |||||
| CVE-2020-12828 | 1 Pango | 1 Virtual Private Network Software Development Kit | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges. | |||||
| CVE-2020-12800 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. | |||||
| CVE-2020-12715 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| RainbowFish PacsOne Server 6.8.4 has Incorrect Access Control. | |||||
| CVE-2020-12675 | 1 Mappresspro | 1 Mappress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPress does not correctly implement capability checks for AJAX functions related to creation/retrieval/deletion of PHP template files, leading to Remote Code Execution. NOTE: this issue exists because of an incomplete fix for CVE-2020-12077. | |||||
| CVE-2020-12255 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. vendor.crud.php accepts a file upload by checking content-type without considering the file extension and header. Thus, an attacker can exploit this by uploading a .php file to vendor.php that contains arbitrary PHP code and changing the content-type to image/gif. | |||||
| CVE-2020-12252 | 1 Gigamon | 1 Gigavue | 2024-11-21 | 6.0 MEDIUM | 6.2 MEDIUM |
| An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an arbitrary file upload for an authenticated user. If an executable file is uploaded into the www-root directory, then it could yield remote code execution via the filename parameter. | |||||
| CVE-2020-12077 | 1 Mappresspro | 1 Mappress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution. | |||||
| CVE-2020-12005 | 1 Rockwellautomation | 2 Factorytalk Linx, Rslinx Classic | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition. | |||||
| CVE-2020-11943 | 1 Opmantek | 1 Open-audit | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Open-AudIT 3.2.2. There is Arbitrary file upload. | |||||
| CVE-2020-11817 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | |||||
| CVE-2020-11815 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | |||||
| CVE-2020-11811 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbitrary command on the server using this malicious file. | |||||
| CVE-2020-11807 | 1 Sourcefabric | 1 Newscoop | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by making an avatar update and then visiting the avatar file under the /images/ path. | |||||