Search Results (4292 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-11405 1 Cmsmadesimple 1 Cms Made Simple 2025-04-20 N/A
In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file.
CVE-2017-12929 1 Tecnovision 1 Dlx Spot Player4 2025-04-20 N/A
Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.
CVE-2017-13982 1 Hp 1 Bsm Platform Application Performance Management System Health 2025-04-20 N/A
A directory traversal vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows users to upload unrestricted files.
CVE-2017-14704 1 Claydip 1 Airbnb Clone 2025-04-20 N/A
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/profile.
CVE-2017-5520 1 Metalgenix 1 Genixcms 2025-04-20 N/A
The media rename feature in GeniXCMS through 0.0.8 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to rename and execute files with the `.php6`, `.php7` and `.phtml` extensions.
CVE-2017-9380 1 Open-emr 1 Openemr 2025-04-20 8.8 High
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
CVE-2014-2664 1 X2engine 1 X2crm 2025-04-20 N/A
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
CVE-2017-6104 1 Zen Mobile App Native Project 1 Zen Mobile App Native 2025-04-20 N/A
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.
CVE-2017-7357 1 Atlassian 1 Hipchat Server 2025-04-20 N/A
Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file.
CVE-2017-7989 1 Joomla 1 Joomla\! 2025-04-20 N/A
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
CVE-2017-8080 1 Atlassian 1 Hipchat Server 2025-04-20 N/A
Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads.
CVE-2017-8862 1 Cohuhd 2 3960hd, 3960hd Firmware 2025-04-20 N/A
The webupgrade function on the Cohu 3960HD does not verify the firmware upgrade files or process, allowing an attacker to upload a specially crafted postinstall.sh file that will be executed with "root" privileges.
CVE-2017-2737 1 Huawei 2 Vcm5010, Vcm5010 Firmware 2025-04-20 N/A
VCM5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system.
CVE-2017-2699 1 Huawei 6 Honor 7, Honor 7 Firmware, Lyo-l21 and 3 more 2025-04-20 N/A
The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versions earlier than CRR-L09C432B380, versions earlier than LYO-L21C577B128 has a privilege elevation vulnerability. An attacker could exploit this vulnerability to upload theme packs containing malicious files and trick users into installing the theme packets, resulting in the execution of arbitrary code.
CVE-2017-17727 1 Dedecms 1 Dedecms 2025-04-20 N/A
DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php.
CVE-2017-15673 1 Cs-cart 1 Cs-cart 2025-04-20 N/A
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page.
CVE-2017-15580 1 Osticket 1 Osticket 2025-04-20 N/A
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents and thus accepts any type of file, such as with a tickets.php request that is modified with a .html extension changed to a .exe extension. An attacker can leverage this vulnerability to upload arbitrary files on the web application having malicious content.
CVE-2015-8249 1 Manageengine 1 Desktop Central 2025-04-20 N/A
The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter.
CVE-2017-14840 1 Teamworktec 1 Ticketplus 2025-04-20 N/A
TeamWork TicketPlus allows Arbitrary File Upload in updateProfile.
CVE-2017-14839 1 Teamworktec 1 Photo Fusion 2025-04-20 N/A
TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover.