CVE-2024-31214 Traccar's unrestricted file upload vulnerability in device image upload could lead to remote code execution

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file...

File Validation Bypass

ibexa/core is vulnerable to File Validation Bypass. The vulnerability is due to inadequate file type validation within the validate function in FileExtensionBlackListValidator.php. When attempting to publish content with rejected file types, the validation fails which does prevent publication, bu...

CVE-2024-2565

A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to...

CVE-2024-2565

A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to...

CVE-2024-2565 PandaXGO PandaX File Extension upload.go unrestricted upload

A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to...

CVE-2024-2565 PandaXGO PandaX File Extension upload.go unrestricted upload

A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to...

BIT-PARSE-2023-32689 Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server vi...

Unrestricted file upload

F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension...

Unrestricted File Upload

Kirby is vulnerable to unrestricted file upload. The vulnerability is due to the absence of validation or checks for the file type or file extension during the upload process. This allows attackers to bypass server protections and upload files not intended for the upload target, potentially leadi...

GHSA-XRVH-RVC4-5M43 Kirby vulnerable to unrestricted file upload of user avatar images

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. The attack requires user interaction by another user or visitor and cannot be automated. ---- Introduction Unrestricted upload of files with a dangerous type is a type o...

CVE-2024-25674

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type...

CVE-2024-25674

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type...

Design/Logic Flaw

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type...

CVE-2024-25674

CVE-2024-25674 affects MISP before 2.4.184. The issue is insecure organisation logo upload due to missing checks for file extension and MIME type, enabling potential abuse. CVSSv3.1 base score 9.8 (CRITICAL) with attack vector NETWORK, no auth, high impact to confidentiality, integrity, and avail...

CVE-2024-25674

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type...

Exploit for CVE-2023-47400

CVE-2023-47400 Proof of Concept for the CVE-2023-47400 Aut...

GHSA-Q68H-XWQ5-MM7X Cross-site Scripting Vulnerability on Avatar Upload

Introduction This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2 and was tested on version 1.8.2. Overview Label Studio has a cross-site scripting XSS vulnerability that coul...

Cross-site Scripting Vulnerability on Avatar Upload

Introduction This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2 and was tested on version 1.8.2. Overview Label Studio has a cross-site scripting XSS vulnerability that coul...

Cross site scripting

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

CVE-2023-47115

CVE-2023-47115 : Label Studio before version 1.9.2 contains an XSS vulnerability via avatar upload. The vulnerability stems from the avatar handling in label_studio/users/functions.py, which only validates that the uploaded file is an image by checking dimensions; it does not securely validate th...