14 matches found
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution
The product custom option file upload in OpenMage LTS uses an incomplete blocklist forbiddenextensions = php,exe to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht...
CVE-2026-40488
Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete...
CVE-2026-40488
OpenMage LTS (Magento LTS) before 20.17.0 uses an incomplete blocklist (forbidden_extensions = php,exe) for custom option file uploads. This can be bypassed by using alternative PHP executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht, allowing files to be uploaded to...
SUSE CVE-2025-68939
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
BIT-GITEA-2025-68939
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
GO-2025-4261 Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea...
GHSA-263Q-5CV3-XQ9G Gitea allows attackers to add attachments with forbidden file extensions
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
Gitea allows attackers to add attachments with forbidden file extensions
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
CVE-2025-68939
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
CVE-2025-68939
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
EUVD-2025-205411
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
SUSE CVE-2012-3382
Cross-site scripting XSS vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properl...
Roxy File Manager 1.4.5 PHP File Upload Restriction Bypass Exploit
Roxy File Manager version 1.4.5 proof of concept exploit for a PHP file upload restriction bypass vulnerability. Exploit Title: Roxy File Manager 1.4.5 PHP File Upload Restriction Bypass Exploit Author: Adam Shebani NULLHE4D Software: Roxy File Manager Version: 1.4.5 CVE: CVE-2018-20525 Vendor...
360 Web Manager 3.0 File Access
Exploit Title: Multiple vulnerabilities in 360 Web Manager 3.0 Google Dork: "Powered by 360 Web Manager 3.0" Date: 15/04/2011 Author: Ignacio Garrido Contact: [email protected] Software Link: www.360webmanager.com Version: v3.0 Tested on: Linux 2.6.18 Vulnerability description: 360 Web Manager 3....