Total
4007 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-22132 | 1 Wegia | 1 Wegia | 2025-02-13 | 8.3 High |
| WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7. | ||||
| CVE-2024-23946 | 1 Apache | 1 Ofbiz | 2025-02-13 | 5.3 Medium |
| Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | ||||
| CVE-2023-5360 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-02-13 | 9.8 Critical |
| The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. | ||||
| CVE-2023-31428 | 1 Broadcom | 1 Brocade Fabric Operating System | 2025-02-13 | 5.5 Medium |
| Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under user's home directory using grep. | ||||
| CVE-2023-27602 | 1 Apache | 1 Linkis | 2025-02-13 | 9.8 Critical |
| In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` | ||||
| CVE-2023-0265 | 1 Uvdesk | 1 Community-skeleton | 2025-02-13 | 8.8 High |
| Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. | ||||
| CVE-2023-39147 | 1 Webkul | 1 Uvdesk | 2025-02-13 | 7.8 High |
| An arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file. | ||||
| CVE-2022-32114 | 1 Strapi | 1 Strapi | 2025-02-13 | 8.8 High |
| An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired. | ||||
| CVE-2023-26857 | 1 Dynamic Transaction Queuing System Project | 1 Dynamic Transaction Queuing System | 2025-02-13 | 7.2 High |
| An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2024-37273 | 2 Homebrew, Jan | 2 Jan, Jan | 2025-02-13 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-36858 | 1 Homebrew | 1 Jan | 2025-02-13 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-36774 | 1 Monstra | 1 Monstra | 2025-02-13 | 7.2 High |
| An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
| CVE-2024-34913 | 2 Rubinchu, Technocking | 2 R-pan-scaffolding, R-pan-scaffolding | 2025-02-13 | 5.4 Medium |
| An arbitrary file upload vulnerability in r-pan-scaffolding v5.0 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2024-34909 | 1 Kykms | 1 Kykms | 2025-02-13 | 9.8 Critical |
| An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2024-34906 | 1 Dootask | 1 Dootask | 2025-02-13 | 6.3 Medium |
| An arbitrary file upload vulnerability in dootask v0.30.13 allows attackers to execute arbitrary code via uploading a crafted PDF file. | ||||
| CVE-2022-45171 | 1 Liveboxcloud | 1 Vdesk | 2025-02-13 | 8.8 High |
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Unrestricted Upload of a File with a Dangerous Type can occur under the vShare web site section. A remote user, authenticated to the product, can arbitrarily upload potentially dangerous files without restrictions. | ||||
| CVE-2024-25034 | 1 Ibm | 1 Planning Analytics Local | 2025-02-12 | 8 High |
| IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks. | ||||
| CVE-2024-40693 | 1 Ibm | 1 Planning Analytics Local | 2025-02-12 | 8 High |
| IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. | ||||
| CVE-2023-27033 | 1 Cdesigner Project | 1 Cdesigner | 2025-02-12 | 9.8 Critical |
| Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent(). | ||||
| CVE-2023-2712 | 1 Rental Module Project | 1 Rental Module | 2025-02-12 | 9.8 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Command Injection, Using Malicious Files, Upload a Web Shell to a Web Server.This issue affects Rental Module: before 23.05.15. | ||||