Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-27984 1Pluck Cms 1Pluck Jun 17, 2026 Dec 10, 2021 N/A· v4 8.1 HIGH· v3 7.5 HIGH· v2 In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
CVE-2021-36719 1Cybonet 1Mail Secure Jun 17, 2026 Dec 8, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote co...Show more PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code.Show less
CVE-2021-27860 1Fatpipeinc 3Ipvpn Firmware Mpvpn FirmwareWarp Firmware Jun 17, 2026 Dec 8, 2021 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the...Show more A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.Show less
CVE-2021-42133 1Ivanti 1Avalanche Jun 17, 2026 Dec 7, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.
CVE-2021-42125 1Ivanti 1Avalanche Jun 17, 2026 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
CVE-2021-43936 1Webhmi 1Webhmi Firmware Jun 17, 2026 Dec 6, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
CVE-2021-23562 1Tiny 1Plupload Jun 17, 2026 Dec 3, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.
CVE-2020-29176 1Zblogcn 1Z Blogphp Jun 17, 2026 Dec 2, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file.
CVE-2021-42099 1Zohocorp 1Manageengine M365 Manager Plus Jun 17, 2026 Nov 30, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
CVE-2021-42123 1Businessdnasolutions 1Topease Jun 17, 2026 Nov 30, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 in the File Upload Functions allows an authenticated remote attacker with Upload privileges to u...Show more Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 in the File Upload Functions allows an authenticated remote attacker with Upload privileges to upload files with any file type, enabling client-side attacks.Show less
CVE-2021-44094 1Zrlog 1Zrlog Jun 17, 2026 Nov 28, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
CVE-2021-44093 1Zrlog 1Zrlog Jun 17, 2026 Nov 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
CVE-2021-22968 1Concretecms 1Concrete Cms Jun 17, 2026 Nov 19, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the...Show more A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0Show less
CVE-2021-42362 1Wordpress Popular Posts Project 1Wordpress Popular Posts Jun 17, 2026 Nov 17, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor...Show more The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.Show less
CVE-2021-39222 1Nextcloud 1Talk Jun 17, 2026 Nov 15, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a...Show more Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy.Show less
CVE-2021-42839 1Vice 1Webopac Jun 17, 2026 Nov 15, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control th...Show more Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control the system or interrupt services.Show less
CVE-2021-43617 1Laravel 1Framework Jun 17, 2026 Nov 14, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as applica...Show more Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.Show less
CVE-2021-3915 1Bookstackapp 1Bookstack Jun 17, 2026 Nov 13, 2021 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type
CVE-2021-41833 1Zohocorp 1Manageengine Patch Connect Plus Jun 17, 2026 Nov 11, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.
CVE-2020-23572 1Beescms 1Beescms Jun 17, 2026 Nov 8, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 BEESCMS v4.0 was discovered to contain an arbitrary file upload vulnerability via the component /admin/upload.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

Previous 1...154155156...206 Next