10 matches found
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the POST multipart upload process. An attacker can write arbitrary files to any existing directory on the filesystem by crafting a specially constructed URL path containing directory traversal sequences and...
OpenSTAManager has an OS Command Injection in P7M File Processing
Summary A critical OS Command Injection vulnerability exists in the P7M signed XML file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. Vulnerable Code File:...
WordPress plugin MxChat 信息泄露漏洞
WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin MxChat, which stems from...
CVE-2025-34239 Advantech WebAccess/VPN < 1.1.5 Command Injection in AppManagementController.appUpgradeAction()
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction that allows an authenticated system administrator to execute arbitrary commands as the web server user www-data by supplying a crafted uploaded filename...
Command Injection
Overview OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Command Injection due to upload file when a specially crafted filename is included in a command defined in a system event handler and the corresponding event is triggered. An...
Mahara 安全漏洞
Mahara is a free and open source web-based ePortfolio management system from Mahara. A security vulnerability exists in Mahara versions prior to 22.10.6, 23.04.6, and 24.04.1, which stems from an uploaded filename that contains malicious JavaScript code that could lead to a cross-site scripting...
PT-2022-23602 · Unknown · Rpi-Jukebox-Rfid
Name of the Vulnerable Software and Affected Versions: RPi-Jukebox-RFID version 2.3.0 Description: A command injection issue was discovered in the /htdocs/utils/Files.php component. This issue is exploited via a crafted payload injected into the file name of an uploaded file. Recommendations: For...
CVE-2017-0912
Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling...
CVE-2017-0912
Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling...
CVE-2006-2832
Cross-site scripting XSS vulnerability in the upload module upload.module in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename...