Total
3287 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1025 | 2025-02-05 | N/A | 7.5 HIGH | ||
| Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter. | |||||
| CVE-2024-1468 | 1 Theme-fusion | 1 Avada | 2025-02-05 | N/A | 8.8 HIGH |
| The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-31090 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2025-02-05 | N/A | 9.9 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Upload a Web Shell to a Web Server.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.60. | |||||
| CVE-2023-39307 | 1 Theme-fusion | 1 Avada | 2025-02-05 | N/A | 8.5 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. | |||||
| CVE-2023-33930 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2025-02-05 | N/A | 9.1 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Code Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.66. | |||||
| CVE-2025-24505 | 2025-02-05 | N/A | N/A | ||
| This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by uploading a specially crafted upgrade file. | |||||
| CVE-2025-1028 | 2025-02-05 | N/A | 8.1 HIGH | ||
| The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit. | |||||
| CVE-2023-2245 | 1 Hansuncms Project | 1 Hansuncms | 2025-02-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in hansunCMS 1.4.3. It has been declared as critical. This vulnerability affects unknown code of the file /ueditor/net/controller.ashx?action=catchimage. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227230 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-41454 | 2025-02-03 | N/A | 6.5 MEDIUM | ||
| An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file. | |||||
| CVE-2022-25277 | 1 Drupal | 1 Drupal | 2025-02-03 | N/A | 7.2 HIGH |
| Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. | |||||
| CVE-2023-30266 | 1 Cltphp | 1 Cltphp | 2025-02-03 | N/A | 8.8 HIGH |
| CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type. | |||||
| CVE-2024-57761 | 2025-02-03 | N/A | 8.1 HIGH | ||
| An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2024-40513 | 2025-02-03 | N/A | 4.6 MEDIUM | ||
| An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function. | |||||
| CVE-2023-29721 | 1 Sofawiki Project | 1 Sofawiki | 2025-01-31 | N/A | 9.8 CRITICAL |
| SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution. | |||||
| CVE-2023-29631 | 1 Joommasters | 1 Jms Slider | 2025-01-31 | N/A | 9.8 CRITICAL |
| PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php. | |||||
| CVE-2023-28409 | 1 Mw Wp Form Project | 1 Mw Wp Form | 2025-01-31 | N/A | 9.8 CRITICAL |
| Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file. | |||||
| CVE-2023-27397 | 1 Microengine | 1 Mailform | 2025-01-31 | N/A | 9.8 CRITICAL |
| Unrestricted upload of file with dangerous type exists in MicroEngine Mailform version 1.1.0 to 1.1.8. If the product's file upload function and server save option are enabled, a remote attacker may save an arbitrary file on the server and execute it. | |||||
| CVE-2023-29268 | 1 Tibco | 1 Spotfire Statistics Services | 2025-01-30 | N/A | 9.8 CRITICAL |
| The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Statistics Services: versions 11.4.10 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2, versions 12.1.0 and 12.2.0. | |||||
| CVE-2023-24269 | 1 Textpattern | 1 Textpattern | 2025-01-30 | N/A | 8.8 HIGH |
| An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file. | |||||
| CVE-2024-13448 | 1 Themerex | 1 Addons | 2025-01-30 | N/A | 9.8 CRITICAL |
| The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||