Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-46660 1Ge 1Proficy Historian Nov 21, 2024 Jan 18, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An unauthorized user could alter or write files with full control over the path and content of the file.
CVE-2023-22851 1Tiki 1Tiki Apr 4, 2025 Jan 14, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
CVE-2022-42287 1Nvidia 1Bmc Nov 21, 2024 Jan 13, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, inform...Show more NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure and data tampering.Show less
CVE-2023-0257 2Online Food Ordering System Project Oretnom23 2Online Food Ordering System Online Food Ordering System Mar 30, 2026 Jan 12, 2023 N/A· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /fos/admin/index.php?page=menu of the...Show more A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /fos/admin/index.php?page=menu of the component Menu Form. The manipulation of the argument Image with the input <?php system($_GET['c']); ?> leads to unrestricted upload. The attack can be launched remotely. The identifier VDB-218185 was assigned to this vulnerability.Show less
CVE-2022-46610 172crm 1Wukong Crm Apr 9, 2025 Jan 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-44036 1B2evolution 1B2evolution Cms Nov 21, 2024 Jan 3, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a fea...Show more In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to disable it."Show less
CVE-2022-43436 1Easy Test Project 1Easy Test Nov 21, 2024 Jan 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disr...Show more The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disrupt service.Show less
CVE-2022-48194 1Tp Link 1Tl Wr902ac Firmware Apr 10, 2025 Dec 30, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequa...Show more TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.Show less
CVE-2022-45427 1Dahuasecurity 5Dhi Dss4004 S2 Firmware Dhi Dss7016d S2 FirmwareDhi Dss7016dr S2 Firmware+2 more Apr 14, 2025 Dec 27, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can uploa...Show more Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specific crafted packet to the vulnerable interface, an attacker can upload arbitrary files.Show less
CVE-2022-4732 1Microweber 1Microweber Nov 21, 2024 Dec 27, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-45896 1Planetestream 1Planet Estream Apr 14, 2025 Dec 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execu...Show more Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.Show less
CVE-2022-4665 1Ampache 1Ampache Nov 21, 2024 Dec 23, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.
CVE-2022-46493 1Nbnbk Project 1Nbnbk Apr 15, 2025 Dec 22, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.
CVE-2022-45415 1Mozilla 1Firefox Apr 15, 2025 Dec 22, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded...Show more When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.Show less
CVE-2022-34483 1Mozilla 1Firefox Apr 15, 2025 Dec 22, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into e...Show more An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102.Show less
CVE-2022-34482 1Mozilla 1Firefox Apr 15, 2025 Dec 22, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into e...Show more An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.Show less
CVE-2022-0517 1Mozilla 1Vpn Apr 16, 2025 Dec 22, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege. This vulnerability affects Mo...Show more Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege. This vulnerability affects Mozilla VPN < 2.7.1.Show less
CVE-2022-46102 1Ayacms Project 1Ayacms Apr 15, 2025 Dec 22, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php
CVE-2022-45966 1Classcms Project 1Classcms Apr 15, 2025 Dec 22, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.
CVE-2022-46020 1Wbce 1Wbce Cms Apr 17, 2025 Dec 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

Previous 1...129130131...206 Next