68 matches found
CVE-2021-24563
The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly...
Open-xchange OX App Suite 跨站脚本漏洞
OX App Suite is a modular platform designed for telcos, hosting companies and vendors to deliver a wide range of cloud-based services. A cross-site scripting vulnerability exists in OX App Suite 7.10.4. An attacker can exploit this vulnerability via a specially crafted Content-Disposition header ...
Design/Logic Flaw
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validatesafefile in admin/inc/securityfunctions.php...
CVE-2018-19421
CVE-2018-19421 affects GetSimpleCMS 3.3.15. The vulnerability arises in the upload handling: admin/upload-uploadify.php and the validation routine in admin/inc/security_functions.php interact with admin/upload.php, which blocks .html uploads but allows Internet Explorer to render HTML elements co...
DEBIAN-CVE-2013-5738
The getallowedmimetypes function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfilteredhtml capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting XSS attacks via a crafted file...
UBUNTU-CVE-2013-5738
The getallowedmimetypes function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfilteredhtml capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting XSS attacks via a crafted file...
CVE-2008-6542
Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated administrators to perform "server-side execution of application logic" by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM or HTML files...
CVE-2007-6676
The default configuration of Uber Uploader UU 5.3.6 and earlier does not block uploads of 1 .html, 2 .asp, and other possibly dangerous extensions, which allows remote attackers to use these extensions in uploads via a uufileupload.php, related to uufileupload.js and b uberuploaderfile.php, relat...