Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-26828 1Sap 1Disclosure Management Jun 17, 2026 Dec 9, 2020 N/A· v4 6.4 MEDIUM· v3 5.5 MEDIUM· v2 SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external appl...Show more SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheetShow less
CVE-2020-26826 1Sap 1Netweaver Application Server Java Jun 17, 2026 Dec 9, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upl...Show more Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.Show less
CVE-2020-23520 1Txjia 1Imcat Jun 17, 2026 Dec 9, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 imcat 5.2 allows an authenticated file upload and consequently remote code execution via the picture functionality.
CVE-2020-26255 1Getkirby 2Kirby Panel Jun 17, 2026 Dec 8, 2020 N/A· v4 9.1 CRITICAL· v3 6.5 MEDIUM· v2 Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulne...Show more Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access cannot use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14.Show less
CVE-2020-29597 1Incomcms Project 1Incomcms Jun 17, 2026 Dec 7, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server.
CVE-2020-28939 1Openclinic Project 1Openclinic Jun 17, 2026 Dec 3, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web sh...Show more OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the application server.Show less
CVE-2020-29441 1Outsystems 1Outsystems Jun 17, 2026 Nov 30, 2020 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Deni...Show more An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronously, or deny access to legitimate uploaded files.Show less
CVE-2020-25537 1Ucms Project 1Ucms Jun 17, 2026 Nov 30, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain server management permission.
CVE-2020-13671 2Drupal Fedoraproject 2Drupal Fedora Jun 17, 2026 Nov 20, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting co...Show more Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.Show less
CVE-2020-7569 1Schneider Electric 1Webreports Jun 17, 2026 Nov 19, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files d...Show more A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.Show less
CVE-2020-25406 1Lemocms 1Lemocms Jun 17, 2026 Nov 18, 2020 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 app\admin\controller\sys\Uploads.php in lemocms 1.8.x allows users to upload files to upload executable files.
CVE-2020-28130 1Online Library Management System Project 1Online Library Management System Jun 17, 2026 Nov 17, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An Arbitrary File Upload in the Upload Image component in SourceCodester Online Library Management System 1.0 allows the user to conduct remote code execution via admin/borrower/index.php?view=add because .php files can...Show more An Arbitrary File Upload in the Upload Image component in SourceCodester Online Library Management System 1.0 allows the user to conduct remote code execution via admin/borrower/index.php?view=add because .php files can be uploaded to admin/borrower/photos (under the web root).Show less
CVE-2020-26553 1Aviatrix 1Controller Jun 17, 2026 Nov 17, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.
CVE-2020-28136 1Phpgurukul 1Tourism Management System Jun 17, 2026 Nov 17, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the user to conduct remote code execution via admin/create-package.php vulnerable page.
CVE-2020-28140 1Online Clothing Store Project 1Online Clothing Store Jun 17, 2026 Nov 17, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SourceCodester Online Clothing Store 1.0 is affected by an arbitrary file upload via the image upload feature of Products.php.
CVE-2020-28688 1Artworks Gallery In Php, Css, Javascript, And Mysql Project 1Artworks Gallery In Php, Css, Javascript, And Mysql Jun 17, 2026 Nov 17, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.
CVE-2020-28687 1Artworks Gallery In Php, Css, Javascript, And Mysql Project 1Artworks Gallery In Php, Css, Javascript, And Mysql Jun 17, 2026 Nov 17, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.
CVE-2020-28693 1Horizontcms Project 1Horizontcms Jun 17, 2026 Nov 16, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An unrestricted file upload issue in HorizontCMS 1.0.0-beta allows an authenticated remote attacker to upload PHP code through a zip file by uploading a theme, and executing the PHP file via an HTTP GET request to /theme...Show more An unrestricted file upload issue in HorizontCMS 1.0.0-beta allows an authenticated remote attacker to upload PHP code through a zip file by uploading a theme, and executing the PHP file via an HTTP GET request to /themes/<php_file_name>Show less
CVE-2020-28692 1Gilacms 1Gila Cms Jun 17, 2026 Nov 16, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
CVE-2020-13774 1Ivanti 1Endpoint Manager Jun 17, 2026 Nov 12, 2020 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is c...Show more An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.Show less

Previous 1...169170171...206 Next