33 matches found
Path Traversal
Open WebUI is vulnerable to Path Traversal. The vulnerability is due to improper validation and sanitization of uploaded file names derived from HTTP upload requests, which allows an attacker to upload files with crafted dot-segments and traverse outside the intended uploads directory, potentiall...
CVE-2026-22257
CVE-2026-22257 (Salvo) : The Rust web framework Salvo is vulnerable prior to 0.88.1 due to the list_html function in the serve-static directory not sanitizing file/folder names when generating a folder view. This can enable stored cross-site scripting (XSS) when a site serves public files and use...
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction
Summary Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR lf-edge/ekuiper3911. The issues allow attacker-controlled input rule names, schema versions, plugin names, uploaded file names, and ZIP entries to influence fil...
EUVD-2021-25611
Malware in sbrugna...
EUVD-2024-21132
Malicious code in bioql PyPI...
The filename of uploaded files vulnerable to stored XSS in Bolt CMS
...
Ivanti Endpoint Manager 安全漏洞
Ivanti Endpoint Manager is a unified endpoint management solution for multiple operating systems such as Windows, macOS, Linux, Chrome OS and supports IoT devices. A code execution vulnerability exists in Ivanti Endpoint Manager that stems from a lack of adequate validation of filenames of upload...
Ivanti Endpoint Manager 安全漏洞
Ivanti Endpoint Manager is a unified endpoint management solution for multiple operating systems such as Windows, macOS, Linux, Chrome OS and supports IoT devices. A code execution vulnerability exists in Ivanti Endpoint Manager that stems from insufficient validation of filenames of uploaded...
Missing Authentication for Critical Function
Overview django-mdeditor is an A simple Django app to edit markdown text. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint...
Contao 安全漏洞
Contao is an open source content management system CMS developed in PHP. The system supports search engines, rights management, and CSS frameworks. A security vulnerability exists in Contao version 4.x prior to version 4.13.40 and version 5.x prior to version 5.3.4, which stems from the fact that...
DEBIAN-CVE-2024-23659
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js...
UBUNTU-CVE-2024-23659
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js...
SPIP Security Vulnerabilities
SPIP is a freeware program from SPIP for creating Internet sites. A security vulnerability exists in SPIP versions prior to 4.1.14, 4.2.x through 4.2.8. An attacker could exploit the vulnerability to perform a cross-site scripting attack via the name of an uploaded file...
Gibbon Security Vulnerabilities
Gibbon is a school platform that solves real-world problems that educators encounter every day. A security vulnerability exists in GibbonEdu Gibbon version 25.0.0, which stems from a Reflected Cross-Site Scripting XSS vulnerability in the filename of an uploaded file. The vulnerability can be...
Cross-site Scripting (XSS)
odoo is vulnerable to Cross-site Scripting XSS. The vulnerability is due to the binary field widget which allows an attackers to inject arbitrary web script via crafted uploaded file names...
CVE-2023-28819
Concrete CMS previously concrete5 versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names...
PT-2023-21987 · Unknown · Concrete Cms
Name of the Vulnerable Software and Affected Versions: Concrete CMS previously concrete5 versions 8.5.12 and below Concrete CMS previously concrete5 versions 9.0.0 through 9.0.2 Description: The issue is related to Stored XSS in uploaded file and folder names. Recommendations: For Concrete CMS...
CVE-2021-45071
Cross-site scripting XSS issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names...
UBUNTU-CVE-2021-45071
Cross-site scripting XSS issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names...
CVE-2021-45071
Cross-site scripting XSS issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names...