An Arbitrary File Upload vulnerability was discovered in the Golo Laravel theme v 1.1.5.
File Upload component in Projects World House Rental v1.0 suffers from an arbitrary file upload vulnerability with regular users, which allows remote attackers to conduct code execution.
File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function.
Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.
An arbitrary file upload vulnerability in the Template Upload function of Maccms10 allows attackers bypass the suffix whitelist verification to execute arbitrary code via adding a character to the end of the uploaded file's name.
Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution
In IBOS 4.5.4 Open, Arbitrary File Inclusion causes getshell via /system/modules/dashboard/controllers/CronController.php.
An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.
File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter.
File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via modification of the imageext parameter from jpg, jpeg,gif, and png to jpg, jpeg,gif, png, pphphp.
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function.
Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module.
File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component.
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.
Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.
Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'.
An arbitrary file upload vulnerability in the avatar upload function of vaeThink v1.0.1 allows attackers to open a webshell via changing uploaded file suffixes to ".php".
Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'.
A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.
Niushop B2B2C Multi-business basic version V1.11, can bypass the administrator to obtain the background upload interface, through parameter upload, bypass the getimagesize function, upload php file, getshell.
Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".
An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.
Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/.
An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands.
File Upload vulnerability in SEMCMS PHP 3.7 allows remote attackers to upload arbitrary files and gain escalated privileges.
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0
LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit.
jizhiCMS 2.5 suffers from a File upload vulnerability.
A vulnerability was found in SourceCodester Online Discussion Forum Site 1.0. It has been classified as critical. Affected is an unknown function of the file /uupdate.php. The manipulation of the argument ima leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257388.
OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php.
File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function.
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file.
KnowBand supercheckout > 5.0.7 and < 6.0.7 is vulnerable to Unrestricted Upload of File with Dangerous Type. In the module "Module One Page Checkout, Social Login & Mailchimp" (supercheckout), a guest can upload files with extensions .php
The install_from_hash functionality in Navigate CMS 2.9 does not consider the .phtml extension when examining files within a ZIP archive that may contain PHP code, in check_upload in lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php.
NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php file upload
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system.
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.
An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file.