PT-2025-22153 · Schweitzer Engineering Laboratories · Sel-5056 Software-Defined Network Flow Controller

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue is related to improper limitation of pathname in Circuit Provisioning and File Import applications, allowing modification and uploading of files. Recommendations: At the moment,...

PT-2025-20436 · Pixmeo · Osirix Md

Name of the Vulnerable Software and Affected Versions: Pixmeo OsiriX MD affected versions not specified Description: The issue is related to a local use after free scenario. An attacker could locally import a crafted DICOM file, potentially causing memory corruption or a system crash...

CVE-2024-9664 WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) PHP Object Injection via Import File

The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP...

CVE-2021-39181

OpenOlat is a web-based learning management system LMS. Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file e.g. a course any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the...

Exploit for CVE-2024-42845

CVE-2024-42845: Remote Code Execution RCE in Invesalius 3.1...

CVE-2024-12701 WP Smart Import : Import any XML File to WordPress <= 1.1.2 - Reflected Cross-Site Scripting

The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-9624 WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import

The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxicurldownload function. This makes it possible for authenticated attackers, with Administrator-level access and above, to ma...

WordPress WP All Import Pro plugin <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import vulnerability

Authenticated Administrator+ Server-Side Request Forgery via File Import vulnerability discovered by Ivan Kuzymchak in WordPress Plugin WP All Import Pro versions = 4.9.3...

CVE-2024-45679

Heap-based buffer overflow vulnerability in Assimp versions prior to 5.4.3 allows a local attacker to execute arbitrary code by importing a specially crafted file into the product...

UBUNTU-CVE-2024-45679

Heap-based buffer overflow vulnerability in Assimp versions prior to 5.4.3 allows a local attacker to execute arbitrary code by importing a specially crafted file into the product...

PT-2024-31674 · Zimbra · Zimbra Daffodil

Name of the Vulnerable Software and Affected Versions: Zimbra Daffodil version 10.1.1 Description: A Cross-Site Scripting XSS issue was resolved due to inadequate validation of metadata's Content-Type when importing files into the briefcase. Recommendations: For Zimbra Daffodil version 10.1.1,...

PT-2024-6443 · Unknown +1 · Invesalius +1

Name of the Vulnerable Software and Affected Versions: InVesalius versions 3.1.99991 through 3.1.99998 Description: The issue is related to an eval Injection vulnerability in the invesalius/reader/dicom.py component, which allows attackers to execute arbitrary code via loading a crafted DICOM fil...

CVE-2024-39699 Directus has a Blind SSRF On File Import

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...

CVE-2024-39699

Directus has a Blind SSRF via redirects in file import. The vulnerability arises because redirects are allowed during URL-based imports and the response URL isn’t validated, enabling requests to internal IPs (e.g., 127.0.0.1) despite earlier fixes that only validated DNS/internal IPs. The issue i...

CVE-2024-39699 Directus has a Blind SSRF On File Import

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...

GHSA-8P72-RCQ4-H6PW Directus Blind SSRF On File Import

Summary There was already a reported SSRF vulnerability via file import. https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...

Directus Blind SSRF On File Import

Summary There was already a reported SSRF vulnerability via file import. https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...

Directus Security Vulnerabilities

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 10.9.3, which stems from allowing redirection when importing files from a URL and not checking the URL...

CVE-2023-47166

A firmware update vulnerability exists in the luci2-io file-import functionality of Milesight UR32L v32.3.0.7-r2. A specially crafted network request can lead to arbitrary firmware update. An attacker can send a network request to trigger this vulnerability...

CVE-2023-47166

Milesight UR32L firmware update vulnerability (CVE-2023-47166) affects luci2-io file-import in v32.3.0.7-r2. A crafted network request can bypass upgrade validation, enabling arbitrary firmware updates and potential full device takeover. CVSS v3.1 score 8.8 (Network, Low attack complexity, Privil...