Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.4.1.
Max CVSS
9.1
EPSS Score
0.04%
Published
2024-03-26
Updated
2024-03-26
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
Max CVSS
8.7
EPSS Score
0.04%
Published
2024-03-27
Updated
2024-03-28
Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15.
Max CVSS
9.9
EPSS Score
0.04%
Published
2024-03-19
Updated
2024-03-19
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
Max CVSS
9.1
EPSS Score
0.04%
Published
2024-03-28
Updated
2024-03-28
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9.
Max CVSS
8.8
EPSS Score
0.04%
Published
2024-03-21
Updated
2024-03-21
Unrestricted Upload of File with Dangerous Type vulnerability in Pie Register.This issue affects Pie Register: from n/a through 3.8.3.1.
Max CVSS
10.0
EPSS Score
0.04%
Published
2024-03-17
Updated
2024-03-17
Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.
Max CVSS
8.8
EPSS Score
0.04%
Published
2024-03-06
Updated
2024-03-21
Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Discounts: from n/a through 3.5.12.
Max CVSS
10.0
EPSS Score
0.04%
Published
2024-02-26
Updated
2024-02-26
Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.
Max CVSS
10.0
EPSS Score
0.04%
Published
2024-02-26
Updated
2024-02-26
Unrestricted Upload of File with Dangerous Type vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2.
Max CVSS
9.9
EPSS Score
0.04%
Published
2024-02-26
Updated
2024-02-26
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
Max CVSS
9.8
EPSS Score
0.09%
Published
2024-02-09
Updated
2024-02-12
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.
Max CVSS
8.5
EPSS Score
0.04%
Published
2024-02-19
Updated
2024-02-20
Unrestricted File Upload vulnerability in Employee Management System 1.0 allows a remote attacker to execute arbitrary code via the edit-photo.php component.
Max CVSS
9.8
EPSS Score
0.11%
Published
2024-02-08
Updated
2024-02-12
File Upload vulnerability index.php in Pichome v.1.1.01 allows a remote attacker to execute arbitrary code via crafted POST request.
Max CVSS
9.8
EPSS Score
0.11%
Published
2024-02-08
Updated
2024-02-15
File Upload vulnerability in Software Publico e-Sic Livre v.2.0 and before allows a remote attacker to execute arbitrary code via the extension filtering component.
Max CVSS
8.8
EPSS Score
0.05%
Published
2024-02-08
Updated
2024-02-14
An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt file.
Max CVSS
9.8
EPSS Score
0.11%
Published
2024-02-08
Updated
2024-02-15
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
Max CVSS
9.8
EPSS Score
0.09%
Published
2024-02-08
Updated
2024-02-10
An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
Max CVSS
9.8
EPSS Score
0.09%
Published
2024-02-08
Updated
2024-02-10
An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download.
Max CVSS
9.8
EPSS Score
0.09%
Published
2024-02-08
Updated
2024-02-10
jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.
Max CVSS
9.8
EPSS Score
0.09%
Published
2024-02-06
Updated
2024-02-13
A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution.
Max CVSS
8.8
EPSS Score
0.05%
Published
2024-02-13
Updated
2024-02-13
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.
Max CVSS
9.8
EPSS Score
0.11%
Published
2024-02-12
Updated
2024-02-15
An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed.
Max CVSS
9.0
EPSS Score
0.08%
Published
2024-01-26
Updated
2024-02-01
DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/module_upload.php.
Max CVSS
8.8
EPSS Score
0.05%
Published
2024-01-22
Updated
2024-01-26
File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.
Max CVSS
8.8
EPSS Score
0.05%
Published
2024-02-05
Updated
2024-02-14
1617 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!