Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-34024 1Barangay Management System Project 1Barangay Management System Jun 17, 2026 Jul 19, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.
CVE-2022-1565 1Wpallimport 1Wp All Import Jun 17, 2026 Jul 18, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated...Show more The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.Show less
CVE-2022-24688 1Dsk 1Dsknet Jun 17, 2026 Jul 18, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attack...Show more An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.Show less
CVE-2021-36711 1Octobot 1Octobot Jun 17, 2026 Jul 16, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
CVE-2022-31161 1Roxy Wi 1Roxy Wi Jun 17, 2026 Jul 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received f...Show more Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.Show less
CVE-2022-32119 1Arox 1School Erp Pro Jun 17, 2026 Jul 15, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.
CVE-2021-36461 1Microweber 1Microweber Jun 17, 2026 Jul 15, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.
CVE-2022-2420 1Eveo 1Urve Web Manager Jun 17, 2026 Jul 15, 2022 N/A· v4 8.0 HIGH· v3 N/A· v2 A vulnerability was found in URVE Web Manager. It has been rated as critical. This issue affects some unknown processing of the file _internal/uploader.php. The manipulation leads to unrestricted upload. The attack needs...Show more A vulnerability was found in URVE Web Manager. It has been rated as critical. This issue affects some unknown processing of the file _internal/uploader.php. The manipulation leads to unrestricted upload. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-2419 1Eveo 1Urve Web Manager Jun 17, 2026 Jul 15, 2022 N/A· v4 8.0 HIGH· v3 N/A· v2 A vulnerability was found in URVE Web Manager. It has been declared as critical. This vulnerability affects unknown code of the file _internal/collector/upload.php. The manipulation leads to unrestricted upload. Access t...Show more A vulnerability was found in URVE Web Manager. It has been declared as critical. This vulnerability affects unknown code of the file _internal/collector/upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-2418 1Eveo 1Urve Web Manager Jun 17, 2026 Jul 15, 2022 N/A· v4 8.0 HIGH· v3 N/A· v2 A vulnerability was found in URVE Web Manager. It has been classified as critical. This affects an unknown part of the file kreator.html5/img_upload.php. The manipulation leads to unrestricted upload. Access to the local...Show more A vulnerability was found in URVE Web Manager. It has been classified as critical. This affects an unknown part of the file kreator.html5/img_upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-22450 1Ibm 1Security Verify Governance Jun 17, 2026 Jul 14, 2022 N/A· v4 3.8 LOW· v3 N/A· v2 IBM Security Verify Identity Manager 10.0 could allow a privileged user to upload a malicious file by bypassing extension security in an HTTP request. IBM X-Force ID: 224916.
CVE-2022-28372 1Verizon 2Lvskihp Indoorunit Firmware Lvskihp Outdoorunit Firmware Jun 17, 2026 Jul 14, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtc_fw_upgrade or crtc...Show more On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtc_fw_upgrade or crtcfwimage. The URL provided is not validated, and thus allows for arbitrary file upload to the device. This occurs in /lib/lua/luci/crtc.lua (IDU) and /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh (ODU).Show less
CVE-2022-28369 1Verizon 1Lvskihp Indoorunit Firmware Jun 17, 2026 Jul 14, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmod...Show more Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root.Show less
CVE-2022-32114 1Strapi 1Strapi Jun 17, 2026 Jul 13, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Medi...Show more An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.Show less
CVE-2022-30216 1Microsoft 4Windows 10 Windows 11Windows Server 2016+1 more Jun 17, 2026 Jul 12, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Windows Server Service Tampering Vulnerability
CVE-2022-31134 1Zulip 1Zulip Server Jun 17, 2026 Jul 12, 2022 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data"...Show more Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.Show less
CVE-2022-2297 1Oretnom23 1Clinic's Patient Management System Jun 17, 2026 Jul 12, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in SourceCodester Clinics Patient Management System 2.0. Affected is an unknown function of the file /pms/update_user.php?user_id=1. The manipulation of the ar...Show more A vulnerability, which was classified as critical, was found in SourceCodester Clinics Patient Management System 2.0. Affected is an unknown function of the file /pms/update_user.php?user_id=1. The manipulation of the argument profile_picture with the input <?php phpinfo();?> leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-1952 1Syntacticsinc 1Easync Jun 17, 2026 Jul 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An A...Show more The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.Show less
CVE-2021-29281 1Gfi 1Archiver Jun 17, 2026 Jul 7, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.
CVE-2022-31854 1Codologic 1Codoforum Jun 17, 2026 Jul 7, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.

Previous 1...140141142...206 Next