Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-12803

Summary
Assigner-krcert
Assigner Org ID-cdd7a122-0fae-4202-8d86-14efbacc2863
Published At-10 Jul, 2019 | 19:34
Updated At-04 Aug, 2024 | 23:32
Rejected At-
Credits

Hunesion i-oneNet unrestricted file upload vulnerability

In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system command.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:krcert
Assigner Org ID:cdd7a122-0fae-4202-8d86-14efbacc2863
Published At:10 Jul, 2019 | 19:34
Updated At:04 Aug, 2024 | 23:32
Rejected At:
▼CVE Numbering Authority (CNA)
Hunesion i-oneNet unrestricted file upload vulnerability

In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system command.

Affected Products
Vendor
Hunesion
Product
i-oneNet
Versions
Affected
  • 3.0.7~3.0.53
  • 4.0.4~4.0.16
Problem Types
TypeCWE IDDescription
CWECWE-434CWE-434 Unrestricted Upload of File with Dangerous Type
Type: CWE
CWE ID: CWE-434
Description: CWE-434 Unrestricted Upload of File with Dangerous Type
Metrics
VersionBase scoreBase severityVector
3.08.8HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073
x_refsource_CONFIRM
Hyperlink: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vuln@krcert.or.kr
Published At:10 Jul, 2019 | 20:15
Updated At:28 Feb, 2023 | 17:59

In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system command.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.08.8HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches

hunesion
hunesion
>>i-onenet>>Versions from 3.0.7(inclusive) to 3.0.53(inclusive)
cpe:2.3:a:hunesion:i-onenet:*:*:*:*:*:*:*:*
hunesion
hunesion
>>i-onenet>>Versions from 4.0.4(inclusive) to 4.0.16(inclusive)
cpe:2.3:a:hunesion:i-onenet:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-434Primarynvd@nist.gov
CWE-434Secondaryvuln@krcert.or.kr
CWE ID: CWE-434
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-434
Type: Secondary
Source: vuln@krcert.or.kr
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073vuln@krcert.or.kr
Broken Link
Third Party Advisory
Hyperlink: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073
Source: vuln@krcert.or.kr
Resource:
Broken Link
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1012Records found

CVE-2023-2246
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.20% / 78.08%
||
7 Day CHG~0.00%
Published-23 Apr, 2023 | 15:31
Updated-22 Nov, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Pizza Ordering System unrestricted upload

A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/ajax.php?action=save_settings. The manipulation of the argument img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227236.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-online_pizza_ordering_systemOnline Pizza Ordering System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-2245
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.29% / 52.13%
||
7 Day CHG-0.01%
Published-22 Apr, 2023 | 17:00
Updated-04 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
hansunCMS unrestricted upload

A vulnerability was found in hansunCMS 1.4.3. It has been declared as critical. This vulnerability affects unknown code of the file /ueditor/net/controller.ashx?action=catchimage. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227230 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-hansuncms_projectn/a
Product-hansuncmshansunCMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-21474
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.09% / 77.06%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 00:00
Updated-10 Dec, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

File Upload vulnerability in NucleusCMS v.3.71 allows a remote attacker to execute arbitrary code via the /nucleus/plugins/skinfiles/?dir=rsd parameter.

Action-Not Available
Vendor-nucleuscmsn/a
Product-nucleuscmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-54444
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.25%
||
7 Day CHG+0.01%
Published-23 Jul, 2025 | 05:35
Updated-30 Jul, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-18704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.65% / 85.17%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 17:56
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'.

Action-Not Available
Vendor-fusionboxn/a
Product-widgyn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-31615
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 23.31%
||
7 Day CHG~0.00%
Published-25 Apr, 2024 | 00:00
Updated-16 Apr, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php.

Action-Not Available
Vendor-thinkcmfn/athinkcmf
Product-thinkcmfn/athinkcmf
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-18166
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 73.79%
||
7 Day CHG~0.00%
Published-14 May, 2021 | 13:09
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".

Action-Not Available
Vendor-laobancmsn/a
Product-laobancmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-18114
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.14% / 77.50%
||
7 Day CHG~0.00%
Published-27 Aug, 2021 | 20:30
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.

Action-Not Available
Vendor-n/aDedeCMS
Product-dedecmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-33786
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.04%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 00:00
Updated-02 Aug, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in Zhongcheng Kexin Ticketing Management Platform 20.04 allows attackers to execute arbitrary code via uploading a crafted file.

Action-Not Available
Vendor-n/azhongcheng
Product-n/aticketing_management_platform
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1800
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-23.41% / 95.75%
||
7 Day CHG~0.00%
Published-02 Apr, 2023 | 10:31
Updated-22 Nov, 2024 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
sjqzhang go-fastdfs File Upload uploa upload path traversal

A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3. Affected by this issue is the function upload of the file /group1/uploa of the component File Upload Handler. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224768.

Action-Not Available
Vendor-go-fastdfs_projectsjqzhang
Product-go-fastdfsgo-fastdfs
CWE ID-CWE-24
Path Traversal: '../filedir'
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-2068
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-71.98% / 98.68%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 13:17
Updated-13 Feb, 2025 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Manager Advanced Shortcode <= 2.3.2 - Unauthenticated Remote Code Execution through shortcode

The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.

Action-Not Available
Vendor-advancedfilemanagerUnknown
Product-file_manager_advanced_shortcodefile-manager-advanced-shortcode
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1479
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 20.86%
||
7 Day CHG~0.00%
Published-18 Mar, 2023 | 08:25
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple Music Player save_music.php unrestricted upload

A vulnerability classified as critical has been found in SourceCodester Simple Music Player 1.0. Affected is an unknown function of the file save_music.php. The manipulation of the argument filename leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223362 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-simple_music_player_projectSourceCodester
Product-simple_music_playerSimple Music Player
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1684
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.05% / 16.30%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 04:00
Updated-02 Aug, 2024 | 05:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HadSky unrestricted upload

A vulnerability was found in HadSky 7.7.16. It has been classified as problematic. This affects an unknown part of the file upload/index.php?c=app&a=superadmin:index. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224241 was assigned to this vulnerability.

Action-Not Available
Vendor-hadskyn/a
Product-hadskyHadSky
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1734
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.06% / 18.86%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 19:00
Updated-02 Aug, 2024 | 05:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Young Entrepreneur E-Negosyo System unrestricted upload

A vulnerability classified as critical has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0. Affected is an unknown function of the file admin/products/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-224622 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-young_entrepreneur_e-negosyo_system_projectSourceCodester
Product-young_entrepreneur_e-negosyo_systemYoung Entrepreneur E-Negosyo System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-20073
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-91.18% / 99.64%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-28 Oct, 2024 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability

A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-rv340_firmwarerv340wrv345prv345rv345_firmwarerv345p_firmwarerv340rv340w_firmwareCisco Small Business RV Series Router Firmware
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1484
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.15% / 36.25%
||
7 Day CHG~0.00%
Published-18 Mar, 2023 | 10:00
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xzjie cms upload unrestricted upload

A vulnerability was found in xzjie cms up to 1.0.3 and classified as critical. This issue affects some unknown processing of the file /api/upload. The manipulation of the argument uploadFile leads to unrestricted upload. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-223367.

Action-Not Available
Vendor-xzjie_cms_projectxzjie
Product-xzjie_cmscms
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1561
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.59%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 12:00
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Simple Online Hotel Reservation System add_room.php unrestricted upload

A vulnerability, which was classified as critical, was found in code-projects Simple Online Hotel Reservation System 1.0. Affected is an unknown function of the file add_room.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. VDB-223554 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-Source Code & ProjectsFabian Ros
Product-simple_online_hotel_reservation_systemSimple Online Hotel Reservation System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1826
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.77% / 72.48%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 09:00
Updated-11 Feb, 2025 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Computer and Laptop Store index.php unrestricted upload

A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. This affects an unknown part of the file php-ocls\admin\system_info\index.php. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The identifier VDB-224841 was assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-online_computer_and_laptop_storeOnline Computer and Laptop Store
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1797
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 24.00%
||
7 Day CHG~0.00%
Published-02 Apr, 2023 | 09:00
Updated-02 Aug, 2024 | 06:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OTCMS unrestricted upload

A vulnerability classified as critical was found in OTCMS 6.0.1. Affected by this vulnerability is an unknown functionality of the file sysCheckFile.php?mudi=sql. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224749 was assigned to this vulnerability.

Action-Not Available
Vendor-otcmsn/a
Product-otcmsOTCMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-18261
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.91% / 74.83%
||
7 Day CHG~0.00%
Published-03 Nov, 2021 | 17:57
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands.

Action-Not Available
Vendor-ed01-cms_projectn/a
Product-ed01-cmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1558
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 24.00%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 11:00
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple and Beautiful Shopping Cart System uploadera.php unrestricted upload

A vulnerability classified as critical has been found in Simple and Beautiful Shopping Cart System 1.0. This affects an unknown part of the file uploadera.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223551.

Action-Not Available
Vendor-simple_and_beautiful_shopping_cart_system_projectn/a
Product-simple_and_beautiful_shopping_cart_systemSimple and Beautiful Shopping Cart System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1497
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.59%
||
7 Day CHG~0.00%
Published-19 Mar, 2023 | 19:00
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple and Nice Shopping Cart Script uploaderm.php unrestricted upload

A vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script 1.0. It has been rated as critical. This issue affects some unknown processing of the file uploaderm.php. The manipulation of the argument submit leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223397 was assigned to this vulnerability.

Action-Not Available
Vendor-habencsSourceCodester
Product-simple_and_nice_shopping_cart_scriptSimple and Nice Shopping Cart Script
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-19113
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.65% / 85.17%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 21:55
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arbitrary File Upload vulnerability in Online Book Store v1.0 in admin_add.php, which may lead to remote code execution.

Action-Not Available
Vendor-n/aProjectworlds
Product-online_book_store_project_in_phpn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1739
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 20.58%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 20:31
Updated-02 Aug, 2024 | 05:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple and Beautiful Shopping Cart System upload.php unrestricted upload

A vulnerability was found in SourceCodester Simple and Beautiful Shopping Cart System 1.0 and classified as critical. This issue affects some unknown processing of the file upload.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224627.

Action-Not Available
Vendor-simple_and_beautiful_shopping_cart_system_projectSourceCodester
Product-simple_and_beautiful_shopping_cart_systemSimple and Beautiful Shopping Cart System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1728
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.67%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 08:40
Updated-11 Feb, 2025 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted Upload of File with Dangerous Type in Fernus LMS

Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS Command Injection, Server Side Include (SSI) Injection.This issue affects LMS: before 23.04.03.

Action-Not Available
Vendor-fernusFernus Informatics
Product-learning_management_systemsLMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-2071
Matching Score-4
Assigner-Rockwell Automation
ShareView Details
Matching Score-4
Assigner-Rockwell Automation
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 70.34%
||
7 Day CHG+0.19%
Published-12 Sep, 2023 | 13:12
Updated-25 Sep, 2024 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FactoryTalk View Machine Edition Vulnerable to Remote Code Execution

Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.  By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

Action-Not Available
Vendor-Rockwell Automation, Inc.
Product-panelview_plusfactorytalk_viewFa
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-31777
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.50% / 94.82%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 00:00
Updated-18 Jun, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.

Action-Not Available
Vendor-openeclassn/agunet
Product-openeclassn/aopen_eclass_platform
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1303
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.59%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 21:48
Updated-02 Aug, 2024 | 05:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UCMS System File Management Module fileedit.php unrestricted upload

A vulnerability was found in UCMS 1.6 and classified as critical. This issue affects some unknown processing of the file sadmin/fileedit.php of the component System File Management Module. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-222683.

Action-Not Available
Vendor-ucms_projectn/a
Product-ucmsUCMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-18879
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.44% / 92.49%
||
7 Day CHG~0.00%
Published-20 Aug, 2021 | 13:20
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'.

Action-Not Available
Vendor-bluditn/a
Product-bluditn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-3229
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-6.64% / 90.82%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 04:31
Updated-11 Apr, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Salon Booking System <= 10.2 - Unauthenticated Arbitrary File Upload

The Salon booking system plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the SLN_Action_Ajax_ImportAssistants function along with missing authorization checks in all versions up to, and including, 10.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-salonbookingsystemwordpresschefsalonbookingsystem
Product-salon_booking_systemSalon Booking Systemsalon_booking_system
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-0783
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.06% / 18.88%
||
7 Day CHG~0.00%
Published-11 Feb, 2023 | 17:04
Updated-02 Aug, 2024 | 05:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EcShop PHP File template.php unrestricted upload

A vulnerability was found in EcShop 4.1.5. It has been classified as critical. This affects an unknown part of the file /ecshop/admin/template.php of the component PHP File Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220641 was assigned to this vulnerability.

Action-Not Available
Vendor-shopexn/a
Product-ecshopEcShop
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-2128
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.6||CRITICAL
EPSS-0.38% / 58.38%
||
7 Day CHG~0.00%
Published-20 Jun, 2022 | 16:45
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted Upload of File with Dangerous Type in polonel/trudesk

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.

Action-Not Available
Vendor-trudesk_projectpolonel
Product-trudeskpolonel/trudesk
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-0651
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 23.59%
||
7 Day CHG~0.00%
Published-02 Feb, 2023 | 13:42
Updated-12 Sep, 2024 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastCMS Template Management unrestricted upload

A vulnerability was found in FastCMS 0.1.0. It has been classified as critical. Affected is an unknown function of the component Template Management. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-fastcms_projectn/a
Product-fastcmsFastCMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-1391
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.05% / 15.80%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 14:21
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Tours & Travels Management System ab.php unrestricted upload

A vulnerability, which was classified as problematic, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file admin/ab.php. The manipulation of the argument img leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222978 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-mayuri_kSourceCodester
Product-online_tours_\&_travels_management_systemOnline Tours & Travels Management System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-0257
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.04% / 12.83%
||
7 Day CHG~0.00%
Published-12 Jan, 2023 | 21:09
Updated-02 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Food Ordering System Menu Form unrestricted upload

A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /fos/admin/index.php?page=menu of the component Menu Form. The manipulation of the argument Image with the input <?php system($_GET['c']); ?> leads to unrestricted upload. The attack can be launched remotely. The identifier VDB-218185 was assigned to this vulnerability.

Action-Not Available
Vendor-online_food_ordering_system_projectSourceCodester
Product-online_food_ordering_systemOnline Food Ordering System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-32161
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.41%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 00:00
Updated-21 Nov, 2024 | 09:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jizhiCMS 2.5 suffers from a File upload vulnerability.

Action-Not Available
Vendor-n/ajizhicms
Product-n/ajizhicms
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-30510
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-10||CRITICAL
EPSS-0.91% / 74.88%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 13:36
Updated-27 Feb, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Salon booking system plugin <= 9.5 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 9.5.

Action-Not Available
Vendor-salonbookingsystemSalon Booking Systemsalonbookingsystem
Product-salon_booking_systemSalon booking systemsalon_booking_system
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-31012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.89% / 87.79%
||
7 Day CHG+0.99%
Published-03 Apr, 2024 | 00:00
Updated-04 Apr, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file.

Action-Not Available
Vendor-sem-cmsn/asem-cms
Product-semcmsn/asemcms
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-47769
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 49.19%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 00:00
Updated-27 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.

Action-Not Available
Vendor-serinfn/a
Product-fast_checkinn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-47190
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-10||CRITICAL
EPSS-0.72% / 71.64%
||
7 Day CHG~0.00%
Published-31 Mar, 2023 | 00:00
Updated-11 Feb, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RCE via file upload vulnerability in Generex CS141

Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a firmware file containing a webshell that could allow him to execute arbitrary code as root.

Action-Not Available
Vendor-generexGenerex
Product-cs141_firmwarecs141UPS CS141
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-33404
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-84.34% / 99.27%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 00:00
Updated-03 Dec, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code.

Action-Not Available
Vendor-blogenginen/a
Product-blogengine.netn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-48008
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.48% / 80.19%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.

Action-Not Available
Vendor-limesurveyn/a
Product-limesurveyn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-48079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.31%
||
7 Day CHG~0.00%
Published-02 Feb, 2023 | 00:00
Updated-27 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Monnai aaPanel host system v1.5 contains an access control issue which allows attackers to escalate privileges and execute arbitrary code via uploading a crafted PHP file to the virtual host directory of the system.

Action-Not Available
Vendor-mengnain/a
Product-aapanel_host_systemn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-47893
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-10||CRITICAL
EPSS-1.72% / 81.65%
||
7 Day CHG~0.00%
Published-03 Oct, 2023 | 11:28
Updated-23 Sep, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NetMan 204 Remote Code Execution

There is a remote code execution vulnerability that affects all versions of NetMan 204. A remote attacker could upload a firmware file containing a webshell, that could allow him to execute arbitrary code as root.

Action-Not Available
Vendor-riello-upsRiello UPSriello-ups
Product-netman_204_firmwarenetman_204Netman-204netman_204_firmware
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2013-3684
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-44.66% / 97.48%
||
7 Day CHG~0.00%
Published-11 Feb, 2020 | 17:48
Updated-06 Aug, 2024 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php file upload

Action-Not Available
Vendor-n/aImagely, LLC (Imagely)
Product-nextgen_galleryn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-45966
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 26.67%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.

Action-Not Available
Vendor-classcms_projectn/a
Product-classcmsn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-45896
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.15% / 83.56%
||
7 Day CHG~0.00%
Published-25 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.

Action-Not Available
Vendor-planetestreamn/a
Product-planet_estreamn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-29859
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.12%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 00:00
Updated-05 Mar, 2025 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

Action-Not Available
Vendor-mispn/amisp
Product-mispn/amisp
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-46493
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 26.67%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

Action-Not Available
Vendor-nbnbk_projectn/a
Product-nbnbkn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-6754
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-75.50% / 98.85%
||
7 Day CHG~0.00%
Published-05 Feb, 2020 | 16:08
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g., .jsp files) into /webapps/ROOT/assets/tmp_upload, which can lead to remote command execution (with the permissions of the user running the dotCMS application).

Action-Not Available
Vendor-n/adotCMS, LLC
Product-dotcmsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 20
  • 21
  • Next
Details not found