Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-6358 1Prestashop 1Prestashop Nov 21, 2024 Jan 23, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory.
CVE-2012-5190 1Accusoft 1Prizm Content Connect Nov 21, 2024 Jan 21, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Prizm Content Connect 5.1 has an Arbitrary File Upload Vulnerability
CVE-2020-7246 1Qdpm 1Qdpm Jun 17, 2026 Jan 21, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users[...Show more A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.Show less
CVE-2019-20385 1Logaritmo 1Aware Callmanager Jun 17, 2026 Jan 21, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/* content type. The PHP code can then be executed by visiting a /supervisor/csv/...Show more The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/* content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI.Show less
CVE-2020-2730 1Oracle 1Revenue Management And Billing Jun 17, 2026 Jan 15, 2020 N/A· v4 5.4 MEDIUM· v3 4.9 MEDIUM· v2 Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8....Show more Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).Show less
CVE-2011-4907 1Joomla 1Joomla Nov 21, 2024 Jan 15, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Joomla! 1.5x through 1.5.12: Missing JEXEC Check
CVE-2011-2933 1Websitebaker 1Websitebaker Nov 21, 2024 Jan 14, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions.
CVE-2020-5509 1Phpgurukul 1Car Rental Portal Jun 17, 2026 Jan 14, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 PHPGurukul Car Rental Project v1.0 allows Remote Code Execution via an executable file in an upload of a new profile image.
CVE-2019-20183 1Employee Records System Project 1Employee Records System Jun 17, 2026 Jan 9, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension...Show more uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension.Show less
CVE-2012-2950 1Gatewaygeomatics 1Mapserver Nov 21, 2024 Jan 9, 2020 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information.
CVE-2012-2226 1Invisioncommunity 1Invision Power Board Nov 21, 2024 Jan 9, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.
CVE-2014-3448 1Bss Continuity Cms Project 1Bss Continuty Cms Nov 21, 2024 Jan 9, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 BSS Continuity CMS 4.2.22640.0 has a Remote Code Execution vulnerability due to unauthenticated file upload
CVE-2020-5846 1Ahsay 1Cloud Backup Suite Jun 17, 2026 Jan 6, 2020 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header,...Show more An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds.Show less
CVE-2015-5951 1Thomsonreuters 1Fatca Nov 21, 2024 Jan 6, 2020 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 A file upload issue exists in the specid parameter in Thomson Reuters FATCH before 5.2, which allows malicious users to upload arbitrary PHP files to the web root and execute system commands.
CVE-2015-4553 1Dedecms 1Dedecms Nov 21, 2024 Jan 6, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
CVE-2020-5514 1Gilacms 1Gila Cms Jun 17, 2026 Jan 6, 2020 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= URI.
CVE-2014-8516 1Cloudfastpath 1Netcharts Server Nov 21, 2024 Jan 3, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
CVE-2014-8337 1Helpdezk 1Helpdezk Nov 21, 2024 Jan 3, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension,...Show more Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the folder parameter.Show less
CVE-2019-16790 1Prasathmani 1Tiny File Manager Jun 17, 2026 Dec 30, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted.
CVE-2019-20048 1Al Enterprise 1Omnivista 8770 Jun 17, 2026 Dec 27, 2019 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remot...Show more An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM.Show less

Previous 1...179180181...206 Next