Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-23906 1Cmsmadesimple 1Cms Made Simple Jun 17, 2026 Feb 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.
CVE-2022-26149 1Modx 1Revolution Jun 17, 2026 Feb 26, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.
CVE-2021-44664 1Xerte 1Xerte Jun 17, 2026 Feb 24, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a lang...Show more An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the 'mediapath' variable.Show less
CVE-2022-25360 1Watchguard 1Fireware Jun 17, 2026 Feb 24, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1...Show more WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.Show less
CVE-2022-23043 1Tribalsystems 1Zenario Jun 17, 2026 Feb 24, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the reques...Show more Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server.Show less
CVE-2021-44967 1Limesurvey 1Limesurvey Jun 17, 2026 Feb 24, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position...Show more A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be installed by a superadmin, and therefore the security model is not violated by this finding.Show less
CVE-2022-24553 1Zfaka Project 1Zfaka Jun 17, 2026 Feb 21, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.
CVE-2022-23375 1Wikidocs 1Wikidocs Jun 17, 2026 Feb 19, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability. An attacker can upload a malicious file using the image upload form through index.php.
CVE-2022-0409 1Showdoc 1Showdoc Jun 17, 2026 Feb 19, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2.
CVE-2021-46036 1Mingsoft 1Mcms Jun 17, 2026 Feb 18, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.
CVE-2022-24984 1Jqueryform 1Jqueryform Jun 17, 2026 Feb 16, 2022 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauthenticated attackers to upload executable files and achieve remote code execution. This occurs because file-ext...Show more Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauthenticated attackers to upload executable files and achieve remote code execution. This occurs because file-extension checks occur on the client side, and because not all executable content (e.g., .phtml or .php.bak) is blocked.Show less
CVE-2022-23390 1Diyhi 1Bbs Forum Jun 17, 2026 Feb 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files.
CVE-2021-22803 1Schneider Electric 1Interactive Graphical Scada System Data Collector Jun 17, 2026 Feb 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could lead to remote code execution through a number of paths, when an attacker, writes arbitrary files to folders in context of the DC...Show more A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could lead to remote code execution through a number of paths, when an attacker, writes arbitrary files to folders in context of the DC module, by sending constructed messages on the network. Affected Product: Interactive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21243 and prior)Show less
CVE-2020-13675 1Drupal 1Drupal Jun 17, 2026 Feb 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload f...Show more Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.Show less
CVE-2022-23048 1Exponentcms 1Exponent Cms Jun 17, 2026 Feb 9, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}...Show more Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.Show less
CVE-2021-37194 1Siemens 1Comos Jun 17, 2026 Feb 9, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web c...Show more A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS allows to upload and store arbitrary files at the webserver. This could allow an attacker to store malicious files.Show less
CVE-2021-46360 1Ocproducts 1Composr Jun 17, 2026 Feb 9, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
CVE-2022-24676 1Hyphp 1Hybbs2 Jun 17, 2026 Feb 9, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive.
CVE-2021-24947 1Thinkupthemes 1Responsive Vector Maps Jun 17, 2026 Feb 7, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, s...Show more The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web serverShow less
CVE-2022-0472 1Laracom Project 1Laracom Jun 17, 2026 Feb 4, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.

Previous 1...151152153...206 Next