416 matches found
CVE-2024-23756
The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 5221, allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them...
CVE-2024-23756
The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 5221, allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them...
CVE-2024-24254
PX4 Autopilot 1.14 and earlier, due to the lack of synchronization mechanism for loading geofence data, has a Race Condition vulnerability in the geofence.cpp and missionfeasibilitychecker.cpp. This will result in the drone uploading overlapping geofences and mission routes...
CVE-2024-23826 Uploading an image with a specific filename causes a server-side DoS
spbusesite is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is...
WWBN AVideo import.json.php temporary copy unrestricted php file upload vulnerability
Talos Vulnerability Report TALOS-2023-1885 WWBN AVideo import.json.php temporary copy unrestricted php file upload vulnerability January 10, 2024 CVE Number CVE-2023-49715 SUMMARY A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVide...
CVE-2023-36486
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename...
CVE-2020-17485
A Remote Code Execution vulnerability exist in Uffizio's GPS Tracker all versions. The web server can be compromised by uploading and executing a web/reverse shell. An attacker could then run commands, browse system files, and browse local resources...
CVE-2020-17485
A Remote Code Execution vulnerability exist in Uffizio's GPS Tracker all versions. The web server can be compromised by uploading and executing a web/reverse shell. An attacker could then run commands, browse system files, and browse local resources...
Privilege escalation
Kaifa Technology WebITR is an online attendance system, its file uploading function does not restrict upload of file with dangerous type. A remote attacker with regular user privilege can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service...
CVE-2023-48376
SmartStar Software CWS is a web-based integration platform, its file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service...
CVE-2023-48371
ITPison OMICARD EDM is affected by CVE-2023-48371 due to a file upload feature that does not restrict dangerous file types. An unauthenticated remote attacker can upload and execute arbitrary executables, enabling arbitrary system commands or disruption of service. Documents reference affected ve...
CVE-2023-4460 Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored XSS via SVG
The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...
CVE-2023-4460 Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored XSS via SVG
The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...
PT-2023-29272 · WordPress · Uploading Svg
Name of the Vulnerable Software and Affected Versions: Uploading SVG, WEBP and ICO files WordPress plugin versions 1.2.1 and earlier Description: The issue concerns the failure to sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containin...
WordPress plugin Uploading SVG, WEBP and ICO files security vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...
CVE-2023-6070
A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration. This is possible through the certificate validation functionality where the API accepts uploaded content and doesn...
Virtuozzo Hybrid Infrastructure 6.0 (6.0.0-243)
In this release, Virtuozzo Hybrid Infrastructure provides an upgrade of the Linux distribution, kernel, and toolset packages. This release also contains a range of new features that cover storage performance, object storage, as well as monitoring and alerts. Additionally, this release delivers...
CVE-2023-41343 Ragic No-Code Database Builder - Stored XSS
Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS Stored Cross-Site Scripting attack...
BIT-2023-46119
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1...
PT-2023-27916 · Rogic · Rogic No-Code Database Builder
Name of the Vulnerable Software and Affected Versions: Rogic No-Code Database Builder affected versions not specified Description: The issue concerns the file uploading function in Rogic No-Code Database Builder, which has insufficient filtering for special characters. This allows a remote attack...