Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-34997 1Commvault 1Commcell Jun 17, 2026 Jan 13, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authenticatio...Show more This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AppStudioUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-13894.Show less
CVE-2021-34995 1Commvault 1Commcell Jun 17, 2026 Jan 13, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authenticatio...Show more This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DownloadCenterUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-13756.Show less
CVE-2021-45411 1Printable Staff Id Card Creator System Project 1Printable Staff Id Card Creator System Jun 17, 2026 Jan 12, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
CVE-2021-44651 1Zohocorp 2Log360 Manageengine Cloud Security Plus Jun 17, 2026 Jan 12, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
CVE-2021-4080 1Craterapp 1Crater Jun 17, 2026 Jan 12, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 crater is vulnerable to Unrestricted Upload of File with Dangerous Type
CVE-2021-43973 1Sysaid 1Sysaid Jun 17, 2026 Jan 11, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful requ...Show more An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to upload an arbitrary file via the file parameter in the HTTP POST body. A successful request returns the absolute, server-side filesystem path of the uploaded file.Show less
CVE-2021-46079 1Vehicle Service Management System Project 1Vehicle Service Management System Jun 17, 2026 Jan 6, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.
CVE-2021-46078 1Vehicle Service Management System Project 1Vehicle Service Management System Jun 17, 2026 Jan 6, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.
CVE-2021-46076 1Vehicle Service Management System Project 1Vehicle Service Management System Jun 17, 2026 Jan 6, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
CVE-2021-44031 1Quest 1Kace Desktop Authority Jun 17, 2026 Dec 22, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx contains a vulnerability that could allow pre-authentication remote code executio...Show more An issue was discovered in Quest KACE Desktop Authority before 11.2. /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx contains a vulnerability that could allow pre-authentication remote code execution. An attacker could upload a .ASP file to reside at /images/{GUID}/{filename}.Show less
CVE-2021-24981 1Wpwax 1Directorist Jun 17, 2026 Dec 21, 2021 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.
CVE-2021-35244 1Solarwinds 1Orion Platform Jun 17, 2026 Dec 20, 2021 N/A· v4 7.2 HIGH· v3 8.5 HIGH· v2 The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerabili...Show more The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.Show less
CVE-2021-44164 1Chinasea 1Qb Smart Service Robot Jun 17, 2026 Dec 20, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary...Show more Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service.Show less
CVE-2021-44159 14mosan 1Gcb Doctor Jun 17, 2026 Dec 20, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform ar...Show more 4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or deny of service attack.Show less
CVE-2021-23814 1Unisharp 1Laravel Filemanager Jun 17, 2026 Dec 17, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps...Show more This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2. Navigate to the Upload window 3. Upload an image file, then capture the request 4. Edit the request contents with a malicious file (webshell) 5. Enter the path of file uploaded on URL - Remote Code Execution Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).Show less
CVE-2021-41560 1Opencats 1Opencats Jun 17, 2026 Dec 15, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php.
CVE-2021-41870 1Socomec 1Remote View Pro Firmware Jun 17, 2026 Dec 15, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in the firmware update form in Socomec REMOTE VIEW PRO 2.0.41.4. An authenticated attacker can bypass a client-side file-type check and upload arbitrary .php files.
CVE-2021-43829 1Patrowl 1Patrowlmanager Jun 17, 2026 Dec 14, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable o...Show more PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangerous type of file to server leading to XSS attacks and potentially other forms of code injection. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds for this issue.Show less
CVE-2021-40883 1Emlog 1Emlog Jun 17, 2026 Dec 14, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins.
CVE-2021-43117 1Fastadmin 1Fastadmin Jun 17, 2026 Dec 13, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access.

Previous 1...153154155...206 Next