CVE-2022-25299

CVE-2022-25299 affects the cesanta/mongoose package before 7.6. The root cause is unsafe handling of file names during upload via mg_http_upload(), which may allow attackers to write files to arbitrary locations outside the designated target folder. No remediation details are provided in the conn...

CVE-2022-25299 Arbitrary File Write

This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mghttpupload method may enable attackers to write files to arbitrary locations outside the designated target folder...

DEBIAN-CVE-2021-43301

Stack overflow in PJSUA API when calling pjsuaplaylistcreate. An attacker-controlled 'filenames' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation...

CVE-2021-43301

Stack overflow in PJSUA API when calling pjsuaplaylistcreate. An attacker-controlled 'filenames' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation...

CVE-2022-21805

Reflected cross-site scripting vulnerability in the attached file name of phpmailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors...

Drupal core Un-restricted Upload of File

Improper sanitization in the extension file names is present in Drupal core...

CVE-2021-40813

A cross-site scripting XSS vulnerability in the "Zip content" feature in Element-IT HTTP Commander 3.1.9 allows remote authenticated users to inject arbitrary web script or HTML via filenames...

USN-5204-1: Django vulnerabilities

Chris Bailey discovered that Django incorrectly handled evaluating submitted passwords. A remote attacker could possibly use this issue to consume resources, resulting in a denial of service. CVE-2021-45115 Dennis Brinkrolf discovered that Django incorrectly handled the dictsort template filter. ...

CVE-2021-45452

A directory-traversal flaw was found in Django's Storage.save method, where a network attacker could possibly traverse restricted paths using suitably crafted file names...

Ws Scrcpy 安全漏洞

Ws Scrcpy is a web client for Genymobile/Scrcpy and others. A security vulnerability exists in Ws Scrcpy that stems from the fact that ws-scrcpy is susceptible to external control of file names or paths...

DEBIAN-CVE-2021-41499

Buffer Overflow Vulnerability exists in ajaxsoundstudio.com n Pyo 1.03 in the Serverdebug function, which allows remote attackers to conduct DoS attacks by deliberately passing on an overlong audio file name...

Pyo 安全漏洞

Pyo is a Python module written in C by the individual developer Olivier Belanger. It is used to help create digital signal processing scripts. ajaxsoundstudio.com A security vulnerability exists in versions of Pyo prior to 1.03, which can be exploited by an attacker to conduct a DoS attack by...

jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

An incorrect access restriction vulnerability was found in the Subversion Plugin for Jenkins. An agent's ability to learn the name of a file is not restricted when looking up a subversion key file on the controller. This may allow attackers to control agent processes and read arbitrary files on t...

CVE-2021-23260

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site...

CVE-2021-23260

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site...

Design/Logic Flaw

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site...

CVE-2021-23260

CVE-2021-23260 affects Crafter CMS. Authenticated users with Site roles can inject XSS through file-name handling in the file upload function, enabling script execution in the browsers of this and other site users. Public-facing technical details are limited in the provided documents; CVSS vector...

The vulnerability of Cisco Firepower Threat Defense’s microprogramming software relates to improper external control of file names or file paths, allowing attackers to escalate their privileges.

The vulnerability of Cisco Firepower Threat Defense’s microprogramming software is related to improper external manipulation of the file name or file path. Exploiting this vulnerability can allow attackers to enhance their privileges by executing commands through the command line interface...

GHSA-H352-G5VW-3926 Improper Input Validation in fruity

Methods of NSString for conversion to a string may return a partial result. Since they call CStr::fromptr on a pointer to the string buffer, the string is terminated at the first null byte, which might not be the end of the string. In addition to the vulnerable functions listed for this issue, th...

django: Potential directory-traversal via uploaded files

A flaw was found in Django. MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names. The highest threat from this vulnerability is to data confidentiality...