Total
3310 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-40324 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 7.5 High |
| Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | ||||
| CVE-2021-40189 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 7.2 High |
| PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary code. | ||||
| CVE-2021-40188 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 7.2 High |
| PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server. | ||||
| CVE-2021-40175 | 1 Zohocorp | 1 Manageengine Log360 | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. | ||||
| CVE-2021-3915 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 5.7 Medium |
| bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2021-3906 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 6.5 Medium |
| bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2021-3846 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 8.8 High |
| firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2021-3832 | 1 Artica | 1 Integria Ims | 2024-11-21 | 9.8 Critical |
| Integria IMS in its 5.0.92 version is vulnerable to a Remote Code Execution attack through file uploading. An unauthenticated attacker could abuse the AsyncUpload() function in order to exploit the vulnerability. | ||||
| CVE-2021-3745 | 1 Flatcore | 1 Flatcore-cms | 2024-11-21 | 6.6 Medium |
| flatcore-cms is vulnerable to Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2021-3378 | 1 Fortilogger | 1 Fortilogger | 2024-11-21 | 9.8 Critical |
| FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp. | ||||
| CVE-2021-3277 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.2 High |
| Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files. | ||||
| CVE-2021-3166 | 1 Asus | 2 Dsl-n14u B1, Dsl-n14u B1 Firmware | 2024-11-21 | 7.5 High |
| An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in a persistent outage of those services. | ||||
| CVE-2021-3164 | 1 Churchdesk | 1 Churchrota | 2024-11-21 | 8.8 High |
| ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php. | ||||
| CVE-2021-3120 | 1 Yithemes | 1 Yith Woocommerce Gift Cards | 2024-11-21 | 9.8 Critical |
| An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a valid Gift Card product into the shopping cart. An uploaded file is placed at a predetermined path on the web server with a user-specified filename and extension. This occurs because the ywgc-upload-picture parameter can have a .php value even though the intention was to only allow uploads of Gift Card images. | ||||
| CVE-2021-39608 | 1 Flatcore | 1 Flatcore-cms | 2024-11-21 | 7.2 High |
| Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code. | ||||
| CVE-2021-39384 | 1 Diaowen | 1 Dwsurvey | 2024-11-21 | 9.8 Critical |
| DWSurvey v3.2.0 was discovered to contain an arbitrary file write vulnerability via the component /utils/ToHtmlServlet.java. | ||||
| CVE-2021-39222 | 1 Nextcloud | 1 Talk | 2024-11-21 | 6.4 Medium |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy. | ||||
| CVE-2021-39221 | 1 Nextcloud | 1 Contacts | 2024-11-21 | 6.4 Medium |
| Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy. | ||||
| CVE-2021-39040 | 1 Ibm | 1 Planning Analytics Workspace | 2024-11-21 | 8.0 High |
| IBM Planning Analytics Workspace 2.0 could be vulnerable to malicious file upload by not validating the file types or sizes. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 214025. | ||||
| CVE-2021-38945 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 9.8 Critical |
| IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 could allow a remote attacker to upload arbitrary files, caused by improper content validation. IBM X-Force ID: 211238. | ||||