Total
3654 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2636 | 2024-11-21 | 9 Critical | ||
| An Unrestricted Upload of File vulnerability has been found on Cegid Meta4 HR, that allows an attacker to upload malicios files to the server via '/config/espanol/update_password.jsp' file. Modifying the 'M4_NEW_PASSWORD' parameter, an attacker could store a malicious JSP file inside the file directory, to be executed the the file is loaded in the application. | ||||
| CVE-2024-2565 | 2024-11-21 | 6.3 Medium | ||
| A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257064. | ||||
| CVE-2024-2381 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2024-11-21 | 8.8 High |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-29859 | 2024-11-21 | 9.8 Critical | ||
| In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. | ||||
| CVE-2024-28520 | 2024-11-21 | 6.5 Medium | ||
| File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.php component. | ||||
| CVE-2024-28269 | 1 Recrystallize Software | 1 Recrystallive Server | 2024-11-21 | 7.2 High |
| ReCrystallize Server 5.10.0.0 allows administrators to upload files to the server. The file upload is not restricted, leading to the ability to upload of malicious files. This could result in a Remote Code Execution. | ||||
| CVE-2024-27957 | 2024-11-21 | 10 Critical | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Pie Register.This issue affects Pie Register: from n/a through 3.8.3.1. | ||||
| CVE-2024-27903 | 1 Openvpn | 1 Openvpn | 2024-11-21 | 9.8 Critical |
| OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | ||||
| CVE-2024-27733 | 2024-11-21 | 7.7 High | ||
| File Upload vulnerability in Byzro Network Smart s42 Management Platform v.S42 allows a local attacker to execute arbitrary code via the useratte/userattestation.php component. | ||||
| CVE-2024-27311 | 1 Zohocorp | 1 Manageengine Ddi Central | 2024-11-21 | 5.5 Medium |
| Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder. | ||||
| CVE-2024-25674 | 1 Misp | 1 Misp | 2024-11-21 | 9.8 Critical |
| An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | ||||
| CVE-2024-24550 | 1 Bludit | 1 Bludit | 2024-11-21 | N/A |
| A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | ||||
| CVE-2024-24202 | 1 Easycorp | 3 Zentao, Zentao Biz, Zentao Max | 2024-11-21 | 9.8 Critical |
| An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file. | ||||
| CVE-2024-24024 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | 9.8 Critical |
| An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download. | ||||
| CVE-2024-23811 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 8.8 High |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution. | ||||
| CVE-2024-22550 | 1 Shopsite | 1 Shopsite | 2024-11-21 | 6.1 Medium |
| An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. | ||||
| CVE-2024-22263 | 2024-11-21 | 8.8 High | ||
| Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server. | ||||
| CVE-2024-1659 | 1 Megabip | 1 Megabip | 2024-11-21 | 9.8 Critical |
| Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10. | ||||
| CVE-2024-1532 | 2024-11-21 | 6.8 Medium | ||
| A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could enforce diagnostic texts being displayed as empty strings, if an authorized user uploads a specially crafted stb-language file. | ||||
| CVE-2024-1531 | 2024-11-21 | 8.2 High | ||
| A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could print random memory content in the RTU500 system log, if an authorized user uploads a specially crafted stb-language file. | ||||