951 matches found
CVE-2023-46574
An issue in TOTOLINK A3700R v.9.1.2u.616520211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function...
Arduino Create Agent path traversal - local privilege escalation vulnerability
Impact The vulnerability affects the endpoint /upload which handles request with the filename parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduin...
PT-2023-28995 · Arduino · Arduino Create Agent
Name of the Vulnerable Software and Affected Versions: Arduino Create Agent versions prior to 1.3.3 Description: The issue affects the endpoint "/upload" which handles requests with the filename parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able ...
PT-2023-31983 · Openrapid · Openrapid Rapidcms
Name of the Vulnerable Software and Affected Versions: OpenRapid RapidCMS version 1.3.1 Description: A critical vulnerability has been found in OpenRapid RapidCMS, affecting the isImg function of the file /admin/config/uploadicon.php. The manipulation of the fileName argument leads to unrestricte...
Improper input validation leads to arbitrary file deletion
Description The /process endpoint of the python API in collector/api.py exposes an endpoint waiting for a POST request with a parameter named filename : py @api.route"/process", methods="POST" def processfile: content = request.json targetfilename = content.get"filename" printf"Processing...
PT-2023-8890
Name of the Vulnerable Software and Affected Versions Ray affected versions not specified Description The issue is related to incorrect restriction of a directory path with limited access in the Ray framework for scaling AI and Python applications. This can be exploited by a remote attacker to re...
CVE-2022-28865
An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious...
CVE-2022-28865
An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious...
PT-2023-12955 · Nokia · Nokia Netact
Name of the Vulnerable Software and Affected Versions: Nokia NetAct version 22 Description: An issue was discovered in the Site Configuration Tool website section, where a malicious user can change the filename of an uploaded file to include JavaScript code. This code is then stored and executed ...
VulnCheck KEV: CVE-2023-26255
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system...
Gin-Gonic Gin 安全漏洞
Gin-Gonic Gin is a Go-based framework for rapidly building web applications from the Gin-Gonic team. A security vulnerability exists in Gin-Gonic Gin, which stems from the filename parameter of the Context.FileAttachment function not being cleaned up correctly...
CVE-2023-37146
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function...
CVE-2023-37149
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function...
CVE-2023-37149
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function...
CVE-2023-37149
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function...
CVE-2023-37146
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function...
CVE-2023-37146
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function...
Command injection
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function...
Command injection
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function...
CVE-2023-37146
TOTOLINK LR350 V9.3.5u.6369B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function...