Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-25780 1Janobe 1Baby Care System Jun 17, 2026 Feb 17, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An arbitrary file upload vulnerability has been identified in posts.php in Baby Care System 1.0. The vulnerability could be exploited by an remote attacker to upload content to the server, including PHP files, which coul...Show more An arbitrary file upload vulnerability has been identified in posts.php in Baby Care System 1.0. The vulnerability could be exploited by an remote attacker to upload content to the server, including PHP files, which could result in command execution and obtaining a shell.Show less
CVE-2021-22858 1Changjia Property Management System Project 1Changjia Property Management System Jun 17, 2026 Feb 17, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Attackers can access the CGE account management function without privilege for permission elevation and execute arbitrary commands or files after obtaining user permissions.
CVE-2020-4955 1Ibm 1Spectrum Protect Operations Center Jun 17, 2026 Feb 15, 2021 N/A· v4 8.0 HIGH· v3 5.2 MEDIUM· v2 IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially...Show more IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155.Show less
CVE-2021-21014 1Magento 1Magento Jun 17, 2026 Feb 11, 2021 N/A· v4 9.1 CRITICAL· v3 6.5 MEDIUM· v2 Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated...Show more Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.Show less
CVE-2020-28871 1Monitorr 1Monitorr Jun 17, 2026 Feb 10, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.
CVE-2021-21131 2Google Microsoft 2Chrome Edge Chromium Jun 17, 2026 Feb 9, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
CVE-2021-26918 1Probot 1Bot Jun 17, 2026 Feb 9, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because t...Show more The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side.Show less
CVE-2020-25037 1Ucopia 1Ucopia Wireless Appliance Jun 17, 2026 Feb 2, 2021 N/A· v4 8.2 HIGH· v3 7.2 HIGH· v2 UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command.
CVE-2021-3378 1Fortilogger 1Fortilogger Jun 17, 2026 Feb 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.
CVE-2020-20287 1Yccms 1Yccms Jun 17, 2026 Feb 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.
CVE-2021-3164 1Churchdesk 1Churchrota Jun 17, 2026 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.
CVE-2021-22698 1Schneider Electric 1Ecostruxure Power Build Rapsody Jun 17, 2026 Jan 26, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a stack-based buffer overflow to occur which could re...Show more A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a stack-based buffer overflow to occur which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.Show less
CVE-2021-22697 1Schneider Electric 1Ecostruxure Power Build Rapsody Jun 17, 2026 Jan 26, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which could result in remo...Show more A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.Show less
CVE-2020-24549 1Openmaint 1Openmaint Jun 17, 2026 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 openMAINT before 1.1-2.4.2 allows remote authenticated users to run arbitrary JSP code on the underlying web server.
CVE-2020-22643 1Feehi 1Feehi Cms Jun 17, 2026 Jan 26, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Feehi CMS 2.1.0 is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malici...Show more Feehi CMS 2.1.0 is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malicious files.Show less
CVE-2020-26295 1Openmage 1Openmage Jun 17, 2026 Jan 21, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file...Show more OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solvedShow less
CVE-2020-26285 1Openmage 1Openmage Jun 17, 2026 Jan 21, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permissio...Show more OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an executable file on the server. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solvedShow less
CVE-2020-26252 1Openmage 1Openmage Jun 17, 2026 Jan 20, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permissio...Show more OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml. The latest OpenMage Versions up from 19.4.10 and 20.0.6 have this issue solved.Show less
CVE-2020-19364 1Open Emr 1Openemr Jun 17, 2026 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.
CVE-2020-29450 1Atlassian 2Confluence Data Center Confluence Server Jun 17, 2026 Jan 19, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected vers...Show more Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.Show less

Previous 1...167168169...206 Next