856 matches found
CVE-2023-41788
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773...
CVE-2023-5815 News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Remote Code Execution via Local File Inclusion
The News & Blog Designer Pack – WordPress Blog Plugin — Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdpgetmorepost...
Remote Code Execution (RCE)
guest-entries is vulnerable to Remote Code Execution RCE. The vulnerability is due to the uploadFile function in GuestEntryController.php, as there are no checks for the file type being uploaded. This allows attackers to upload and potentially execute malicious PHP files...
CVE-2023-48217 Remote code execution via form uploads in statamic/cms
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...
CVE-2023-48217
Statamic CMS vulnerability CVE-2023-48217 affects forms and asset upload fields where additional PHP files crafted to look like images could bypass mime-type validation, enabling potential code execution. Impact is tied to affected versions before patch: 3.4.14 and 4.34.0. Remediation is to upgra...
CVE-2023-48217 Remote code execution via form uploads in statamic/cms
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fiel...
GHSA-RW82-MHMX-GRMJ Guest Entries Remote code execution via file uploads
Impact When using the file uploads feature, it was possible to upload PHP files. Patches The vulnerability is fixed in v3.1.2...
Guest Entries Remote code execution via file uploads
Impact When using the file uploads feature, it was possible to upload PHP files. Patches The vulnerability is fixed in v3.1.2...
CVE-2023-45880
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...
CVE-2023-45880
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...
Directory traversal
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...
CVE-2023-45880
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...
Unrestricted Upload Of Files
statamic/cms is vulnerable to Unrestricted Upload Of File With Dangerous Type. The vulnerability is due to FormController.php as there is only a generic file validation rule, which only confirms the presence of a file without checking its type. This lack of explicit validation of file type, allow...
GHSA-72HG-5WR5-RMFC Statamic CMS remote code execution via front-end form uploads
Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. Patches It has been patched i...
Statamic CMS remote code execution via front-end form uploads
Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. Patches It has been patched i...
Code injection
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This...
CVE-2023-47129 Statamic CMS remote code execution via front-end form uploads
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This...
WPN-XM Serverstack Security Vulnerability
WPN-XM Serverstack is a server stack from the WPN-XM organization for developing PHP on Windows. A security vulnerability exists in WPN-XM Serverstack version 0.8.6, which stems from the presence of a local file inclusion vulnerability that could result in loading PHP files on the server, which...
CVE-2023-42802
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PH...
CVE-2023-1714
Unsafe variable extraction in bitrix/modules/main/classes/general/useroptions.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via 1 appending arbitrary content to existing PHP files or 2 PHAR deserialization...