Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-0920 1Microsoft 3Sharepoint Enterprise Server Sharepoint FoundationSharepoint Server Jun 17, 2026 Apr 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE...Show more A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0971, CVE-2020-0974.Show less
CVE-2020-10507 1The School Manage System Project 1The School Manage System Jun 17, 2026 Apr 15, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine.
CVE-2020-11722 1Dungeon Crawl Stone Soup Project 1Dungeon Crawl Stone Soup Jun 17, 2026 Apr 12, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.
CVE-2020-10621 1Advantech 1Webaccess/nms Jun 17, 2026 Apr 9, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).
CVE-2020-11598 1Cipplanner 1Cipace Jun 17, 2026 Apr 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file.
CVE-2020-11544 1Projectworlds 1Official Car Rental System Jun 17, 2026 Apr 6, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary...Show more An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via add_cars.php. There are no upload restrictions for executable files.Show less
CVE-2020-8639 1Testlink 1Testlink Jun 17, 2026 Apr 3, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker...Show more An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.Show less
CVE-2020-11451 1Microstrategy 1Microstrategy Web Jun 17, 2026 Apr 2, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: Th...Show more The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges.Show less
CVE-2020-6008 1Lifterlms 1Lifterlms Jun 17, 2026 Mar 31, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution
CVE-2020-10964 1S9y 1Serendipity Jun 17, 2026 Mar 25, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
CVE-2020-10963 1Frozennode 1Laravel Administrator Jun 17, 2026 Mar 25, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has th...Show more FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.Show less
CVE-2020-10934 1Acyba 1Acymailing Jun 17, 2026 Mar 24, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Acyba AcyMailing before 6.9.2 mishandles file uploads by admins.
CVE-2020-8866 2Debian Horde 3Debian Linux GroupwareHorde Form Jun 17, 2026 Mar 23, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists...Show more This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.Show less
CVE-2020-8511 1Artica 1Pandora Fms Jun 17, 2026 Mar 23, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.
CVE-2020-7935 1Artica 1Pandora Fms Jun 17, 2026 Mar 23, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) direct...Show more Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access.Show less
CVE-2020-10806 1Ez 2Ez Publish Kernel Ez Publish Legacy Jun 17, 2026 Mar 22, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code...Show more eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.Show less
CVE-2020-10682 1Cmsmadesimple 1Cms Made Simple Jun 17, 2026 Mar 20, 2020 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and conta...Show more The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. The file should be sent as application/octet-stream and contain PHP code (it need not be a valid JPEG file).Show less
CVE-2019-16066 1Netsas 1Enigma Network Management Solution Jun 17, 2026 Mar 19, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An unrestricted file upload vulnerability exists in user and system file upload functions in NETSAS Enigma NMS 65.0.0 and prior. This allows an attacker to upload malicious files and perform arbitrary code execution on t...Show more An unrestricted file upload vulnerability exists in user and system file upload functions in NETSAS Enigma NMS 65.0.0 and prior. This allows an attacker to upload malicious files and perform arbitrary code execution on the system.Show less
CVE-2020-9423 1Logicaldoc 1Logicaldoc Jun 17, 2026 Mar 18, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database. LogicalDoc provides a functionality to add documents. Those documents could...Show more LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database. LogicalDoc provides a functionality to add documents. Those documents could then be used for multiple tasks, such as version control, shared among users, applying tags, etc. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file in a restricted folder. This would lead to the executions of malicious commands with root privileges.Show less
CVE-2019-11074 1Paessler 1Prtg Network Monitor Jun 17, 2026 Mar 17, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the conten...Show more A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Full Web Page Sensor and set specific settings when executing the sensor.Show less

Previous 1...176177178...206 Next