Lucene search
K

856 matches found

NVD
NVD
added 2023/11/23 3:15 p.m.10 views

CVE-2023-41788

Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773...

8.8CVSS0.00717EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2023/11/22 3:33 p.m.11 views

CVE-2023-5815 News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Remote Code Execution via Local File Inclusion

The News & Blog Designer Pack – WordPress Blog Plugin — Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdpgetmorepost...

8.1CVSS7.7AI score0.04262EPSS
Exploits0References4
Veracode
Veracode
added 2023/11/15 8:7 a.m.13 views

Remote Code Execution (RCE)

guest-entries is vulnerable to Remote Code Execution RCE. The vulnerability is due to the uploadFile function in GuestEntryController.php, as there are no checks for the file type being uploaded. This allows attackers to upload and potentially execute malicious PHP files...

8.8CVSS8.1AI score0.01022EPSS
Exploits0References3Affected Software2
Vulnrichment
Vulnrichment
added 2023/11/14 9:38 p.m.12 views

CVE-2023-48217 Remote code execution via form uploads in statamic/cms

Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...

8.8CVSS6.9AI score0.01104EPSS
Exploits0References2
CVE
CVE
added 2023/11/14 9:38 p.m.155 views

CVE-2023-48217

Statamic CMS vulnerability CVE-2023-48217 affects forms and asset upload fields where additional PHP files crafted to look like images could bypass mime-type validation, enabling potential code execution. Impact is tied to affected versions before patch: 3.4.14 and 4.34.0. Remediation is to upgra...

8.8CVSS8.7AI score0.01104EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2023/11/14 9:38 p.m.26 views

CVE-2023-48217 Remote code execution via form uploads in statamic/cms

Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...

8.8CVSS8.6AI score0.01104EPSS
Exploits0References4
OSV
OSV
added 2023/11/14 6:48 p.m.22 views

GHSA-RW82-MHMX-GRMJ Guest Entries Remote code execution via file uploads

Impact When using the file uploads feature, it was possible to upload PHP files. Patches The vulnerability is fixed in v3.1.2...

8.8CVSS8.6AI score0.01022EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2023/11/14 6:48 p.m.30 views

Guest Entries Remote code execution via file uploads

Impact When using the file uploads feature, it was possible to upload PHP files. Patches The vulnerability is fixed in v3.1.2...

8.8CVSS7AI score0.01022EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2023/11/14 6:15 a.m.9 views

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...

7.2CVSS0.01211EPSS
Exploits1References1
OSV
OSV
added 2023/11/14 6:15 a.m.17 views

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...

7.2CVSS6.9AI score
Exploits0References1
Prion
Prion
added 2023/11/14 6:15 a.m.15 views

Directory traversal

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...

5.8CVSS7.2AI score0.01211EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2023/11/14 12:0 a.m.14 views

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...

7.2AI score0.01211EPSS
Exploits1References1
Veracode
Veracode
added 2023/11/13 8:0 a.m.14 views

Unrestricted Upload Of Files

statamic/cms is vulnerable to Unrestricted Upload Of File With Dangerous Type. The vulnerability is due to FormController.php as there is only a generic file validation rule, which only confirms the presence of a file without checking its type. This lack of explicit validation of file type, allow...

9.8CVSS7.1AI score0.01121EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2023/11/12 3:57 p.m.29 views

GHSA-72HG-5WR5-RMFC Statamic CMS remote code execution via front-end form uploads

Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. Patches It has been patched i...

8.3CVSS9.2AI score0.01121EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2023/11/12 3:57 p.m.34 views

Statamic CMS remote code execution via front-end form uploads

Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. Patches It has been patched i...

9.8CVSS7.2AI score0.01121EPSS
Exploits0References5Affected Software1
Prion
Prion
added 2023/11/10 7:15 p.m.24 views

Code injection

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This...

7.5CVSS7.1AI score0.01121EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2023/11/10 6:48 p.m.42 views

CVE-2023-47129 Statamic CMS remote code execution via front-end form uploads

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This...

8.3CVSS9.7AI score0.01121EPSS
Exploits0References3
CNNVD
CNNVD
added 2023/11/03 12:0 a.m.3 views

WPN-XM Serverstack Security Vulnerability

WPN-XM Serverstack is a server stack from the WPN-XM organization for developing PHP on Windows. A security vulnerability exists in WPN-XM Serverstack version 0.8.6, which stems from the presence of a local file inclusion vulnerability that could result in loading PHP files on the server, which...

9.8CVSS6.5AI score0.00615EPSS
Exploits0References2
NVD
NVD
added 2023/11/02 2:15 p.m.19 views

CVE-2023-42802

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PH...

10CVSS9.7AI score0.00849EPSS
Exploits0References2
NVD
NVD
added 2023/11/01 10:15 a.m.19 views

CVE-2023-1714

Unsafe variable extraction in bitrix/modules/main/classes/general/useroptions.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via 1 appending arbitrary content to existing PHP files or 2 PHAR deserialization...

8.8CVSS8.8AI score0.01399EPSS
Exploits1References1
Rows per page
Query Builder