WordPress wp-file-upload plugin code issue vulnerability

WordPress is a set of blogging platform developed by WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. wp-file-upload is a file upload plugin used in it. A code issue vulnerability exists in the WordPress wp-file-upload plugin,...

CVE-2019-15104

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious...

CVE-2019-14794

The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders...

Design/Logic Flaw

The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders...

CVE-2019-14794

CVE-2019-14794 affects the WordPress Meta Box plugin prior to version 4.16.2. The vulnerability arises from mishandling file uploads to custom folders, with a CVSS3 base score of 7.5 (network/vector, low access complexity, no privileges required, integrity impact HIGH). Public exploitation detail...

The vulnerability of the automated personal data management system “Tula” lies in its ability to load files of a harmful type without limitation, allowing an attacker to execute arbitrary code.

The vulnerability of the automated personal data management system “Tula” is related to the unlimited loading of dangerous files. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by loading a specially crafted file onto the server using a specially crafted POST...

RANGER Studio Directus Code Execution Vulnerability (CNVD-2019-39679)

RANGER Studio Directus is a set of open source headless CMS and API for managing custom databases from RANGER Studio, U.S.A. The Directus API is one of the components that can add a RESTful API layer to new or existing SQL databases. A security vulnerability exists in the RANGER Studio Directus 7...

CVE-2019-13979

In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads//originals remote code execution...

CVE-2019-13980

Directus 7 API (up to version 2.3.0) permits PHP uploads only when using Apache; with nginx, uploads/_/originals can lead to remote code execution. No exploitation details are provided in the given documents beyond this risk description. Remediation/patch details are not included in the connected...

CVE-2019-0327

SAP NetWeaver for Java Application Server - Web Container, engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5, servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5, allows an attacker to upload files including script files without proper file format validation...

Input validation

SAP NetWeaver for Java Application Server - Web Container, engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5, servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5, allows an attacker to upload files including script files without proper file format validation...

Command injection

In Hunesion i-oneNet version 3.0.7 3.0.53 and 4.0.4 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system comman...

Linear eMerge 50P/5000P File Upload Vulnerability

The Linear eMerge 50P/5000P is an access control security system managed through a browser from Nortek Security & Control. A file upload vulnerability exists in the Linear eMerge 50P/5000P. An attacker could use this vulnerability to upload a file with an arbitrary extension to a directory in the...

Personalized Customer Support that Garners a Personalized Thank You

In my two-plus years as a Technical Support Engineer at Imperva, I’ve handled a wide variety of customer cases. And I’ve had the satisfaction of helping resolve them quickly and successfully. But never before have I received a handwritten thank you note from an effusive customer. Let me start at...

UBUNTU-CVE-2019-10134

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded...

CVE-2019-10134

The CVE-2019-10134 entry applies to Moodle installations before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The vulnerability arises from inadequate validation of the size of users’ private file uploads sent via email, allowing quota usage to exceed allocated limits. Impact is limited to quota overruns ...

CVE-2019-10134

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded...

Design/Logic Flaw

SeedDMS before 5.1.11 allows Remote Command Execution RCE because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940...

CVE-2018-19146

CVE-2018-19146 affects Concrete5 8.4.3. The issue is a stored XSS caused by config/concrete.php allowing administrators to upload SVG files that may contain HTML data with a SCRIPT element. Impact is an XSS vulnerability in Concrete5’s SVG handling, with no further exploit details or affected ver...

PT-2019-16868 · Ibm · Ibm Maximo Asset Management

Name of the Vulnerable Software and Affected Versions: IBM Maximo Asset Management version 7.6 Description: The issue concerns the lack of file type validation upon upload in the Work Centers' application, allowing attackers to upload malicious files. Recommendations: For IBM Maximo Asset...