Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-28023 1Servicetonic 1Servicetonic Jun 17, 2026 Nov 8, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths.
CVE-2021-34685 1Hitachi 1Vantara Pentaho Jun 17, 2026 Nov 8, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .j...Show more UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).Show less
CVE-2021-31599 1Hitachi 2Vantara Pentaho Vantara Pentaho Business Intelligence Server Jun 17, 2026 Nov 8, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex repo...Show more An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code.Show less
CVE-2021-42669 1Engineers Online Portal Project 1Engineers Online Portal Jun 17, 2026 Nov 5, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploa...Show more A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id.Show less
CVE-2020-18261 1Ed01 Cms Project 1Ed01 Cms Jun 17, 2026 Nov 3, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands.
CVE-2021-26740 1Doyocms Project 1Doyocms Jun 17, 2026 Nov 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Arbitrary file upload vulnerability sysupload.php in millken doyocms 2.3 allows attackers to execute arbitrary code.
CVE-2021-38847 1S Cart 1S Cart Jun 17, 2026 Nov 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 S-Cart v6.4.1 and below was discovered to contain an arbitrary file upload vulnerability in the Editor module on the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted IMG file.
CVE-2018-25019 1Learndash 1Learndash Nov 21, 2024 Nov 1, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to up...Show more The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web serverShow less
CVE-2021-41646 2Janobe Online Reviewer System Project 2Online Reviewer System Online Reviewer System Jun 17, 2026 Oct 29, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..
CVE-2021-41645 1Oretnom23 1Budget And Expense Tracker System Jun 17, 2026 Oct 29, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. .
CVE-2021-41644 2Online Food Ordering System Project Oretnom23 2Online Food Ordering System Online Food Ordering System Jun 17, 2026 Oct 29, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.
CVE-2021-41643 1Church Management System Project 1Church Management System Jun 17, 2026 Oct 29, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.
CVE-2021-41675 1E Negosyo System Project 1E Negosyo System Jun 17, 2026 Oct 29, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the doInsert function, which validates images with getImageSizei. .
CVE-2021-36548 1Monstra 1Monstra Jun 17, 2026 Oct 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file.
CVE-2021-36547 1Mara Cms Project 1Mara Cms Jun 17, 2026 Oct 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution (RCE) vulnerability in the component /codebase/dir.php?type=filenew of Mara v7.5 allows attackers to execute arbitrary commands via a crafted PHP file.
CVE-2021-3745 1Flatcore 1Flatcore Cms Jun 17, 2026 Oct 28, 2021 N/A· v4 6.6 MEDIUM· v3 6.0 MEDIUM· v2 flatcore-cms is vulnerable to Unrestricted Upload of File with Dangerous Type
CVE-2021-3906 1Bookstackapp 1Bookstack Jun 17, 2026 Oct 27, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type
CVE-2021-37221 1Customer Relationship Management System Project 1Customer Relationship Management System Jun 17, 2026 Oct 27, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A file upload vulnerability exists in Sourcecodester Customer Relationship Management System 1.0 via the account update option & customer create option, which could let a remote malicious user upload an arbitrary php fil...Show more A file upload vulnerability exists in Sourcecodester Customer Relationship Management System 1.0 via the account update option & customer create option, which could let a remote malicious user upload an arbitrary php file. .Show less
CVE-2021-37372 1Online Student Admission System Project 1Online Student Admission System Jun 17, 2026 Oct 26, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Online Student Admission System 1.0 is affected by an insecure file upload vulnerability. A low privileged user can upload malicious PHP files by updating their profile image to gain remote code execution.
CVE-2021-40344 1Nagios 1Nagios Xi Jun 17, 2026 Oct 26, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is...Show more An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.Show less

Previous 1...155156157...206 Next