Total
3006 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31707 | 1 Kitesky | 1 Kitecms | 2025-02-18 | N/A | 9.8 CRITICAL |
| Permissions vulnerability found in KiteCMS allows a remote attacker to execute arbitrary code via the upload file type. | |||||
| CVE-2024-2930 | 1 Oretnom23 | 1 Music Gallery Site | 2025-02-18 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SourceCodester Music Gallery Site 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file classes/Master.php?f=save_music. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-258001 was assigned to this vulnerability. | |||||
| CVE-2024-2849 | 1 Ganeshrkt | 1 Simple File Manager Web App | 2025-02-18 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in SourceCodester Simple File Manager 1.0. This vulnerability affects unknown code. The manipulation of the argument photo leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257770 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-2754 | 1 Donbermoy | 1 Complete E-commerce Site | 2025-02-18 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical has been found in SourceCodester Complete E-Commerce Site 1.0. Affected is an unknown function of the file /admin/users_photo.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257544. | |||||
| CVE-2024-2690 | 1 Razormist | 1 Online Discussion Forum Site | 2025-02-18 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been classified as critical. Affected is an unknown function of the file /uupdate.php. The manipulation of the argument ima leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257388. | |||||
| CVE-2025-1388 | 2025-02-17 | N/A | 8.8 HIGH | ||
| Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells | |||||
| CVE-2024-25802 | 1 Skinsoft | 1 S-museum | 2025-02-14 | N/A | 9.8 CRITICAL |
| SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content. | |||||
| CVE-2024-27964 | 1 Gesundheit-bewegt | 1 Zippy | 2025-02-14 | N/A | 8.8 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9. | |||||
| CVE-2023-0670 | 1 Ulearn Project | 1 Ulearn | 2025-02-13 | N/A | 7.2 HIGH |
| Ulearn version a5a7ca20de859051ea0470542844980a66dfc05d allows an attacker with administrator permissions to obtain remote code execution on the server through the image upload functionality. This occurs because the application does not validate that the uploaded image is actually an image. | |||||
| CVE-2025-22132 | 1 Wegia | 1 Wegia | 2025-02-13 | N/A | 8.3 HIGH |
| WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7. | |||||
| CVE-2024-22393 | 2025-02-13 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue. | |||||
| CVE-2018-15961 | 1 Adobe | 1 Coldfusion | 2025-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2023-31428 | 1 Broadcom | 1 Brocade Fabric Operating System | 2025-02-13 | N/A | 5.5 MEDIUM |
| Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under user's home directory using grep. | |||||
| CVE-2023-27602 | 1 Apache | 1 Linkis | 2025-02-13 | N/A | 9.8 CRITICAL |
| In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` | |||||
| CVE-2023-0265 | 1 Uvdesk | 1 Community-skeleton | 2025-02-13 | N/A | 8.8 HIGH |
| Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | |||||
| CVE-2023-26857 | 1 Dynamic Transaction Queuing System Project | 1 Dynamic Transaction Queuing System | 2025-02-13 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2025-1070 | 2025-02-13 | N/A | 8.1 HIGH | ||
| CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device inoperable when a malicious file is downloaded. | |||||
| CVE-2020-8260 | 1 Ivanti | 1 Connect Secure | 2025-02-12 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | |||||
| CVE-2023-27033 | 1 Cdesigner Project | 1 Cdesigner | 2025-02-12 | N/A | 9.8 CRITICAL |
| Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent(). | |||||
| CVE-2023-29375 | 1 Progress | 1 Sitefinity | 2025-02-12 | N/A | 9.8 CRITICAL |
| An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector. | |||||