Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-3960 1Wallaceit 1Wallacepos Jun 17, 2026 Jul 31, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file.
CVE-2015-5601 1Edx 1Edx Platform Nov 21, 2024 Jul 29, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files.
CVE-2019-10267 1Ahsay 1Cloud Backup Suite Jun 17, 2026 Jul 26, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's dir...Show more An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).Show less
CVE-2019-1010209 1Gorul 1Gourl Jun 17, 2026 Jul 23, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 GoUrl.io GoURL Wordpress Plugin 1.4.13 and earlier is affected by: CWE-434. The impact is: unauthenticated/unzuthorized Attacker can upload executable file in website. The component is: gourl.php#L5637. The fixed version...Show more GoUrl.io GoURL Wordpress Plugin 1.4.13 and earlier is affected by: CWE-434. The impact is: unauthenticated/unzuthorized Attacker can upload executable file in website. The component is: gourl.php#L5637. The fixed version is: 1.4.14.Show less
CVE-2019-1010123 1Modx 1Modx Revolution Jun 17, 2026 Jul 23, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before...Show more MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php.Show less
CVE-2019-12326 1Akuvox 1Sp R50p Firmware Jun 17, 2026 Jul 22, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the fi...Show more Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.Show less
CVE-2019-13984 1Rangerstudio 1Directus 7 Api Jun 17, 2026 Jul 19, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR...Show more Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File.Show less
CVE-2019-13980 1Rangerstudio 1Directus 7 Api Jun 17, 2026 Jul 19, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.
CVE-2019-13979 1Rangerstudio 1Directus 7 Api Jun 17, 2026 Jul 19, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.
CVE-2019-13973 1Layerbb 1Layerbb Jun 17, 2026 Jul 19, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the custom_logo filename suffix is not restricted, and .php may be used.
CVE-2019-13359 1Control Webpanel 1Webpanel Jun 17, 2026 Jul 16, 2019 N/A· v4 7.5 HIGH· v3 8.5 HIGH· v2 In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.
CVE-2019-1010062 1Pluck Cms 1Pluckcms Jun 17, 2026 Jul 16, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on...Show more PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871bf633973cfd9fc4fe59d4a912397cf8.Show less
CVE-2019-10935 1Siemens 3Simatic Pcs 7 Simatic WinccSimatic Wincc Runtime Jun 17, 2026 Jul 11, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 1...Show more A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions < V14 SP1 Upd 9), SIMATIC WinCC Professional (TIA Portal V15) (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code. The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known.Show less
CVE-2019-10930 1Siemens 2Digsi 5 Engineering Software Siprotec 5 Digsi Device Driver Jun 17, 2026 Jul 11, 2019 N/A· v4 7.5 HIGH· v3 6.4 MEDIUM· v2 A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V...Show more A vulnerability has been identified in All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions ), DIGSI 5 engineering software (All versions < V7.90), SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules (All versions < V7.90), SIPROTEC 5 device types 7SS85 and 7KE85 (All versions < V8.01), SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules (All versions). A remote attacker could use specially crafted packets sent to port 443/TCP to upload, download or delete files in certain parts of the file system.Show less
CVE-2019-12803 1Hunesion 1I Onenet Jun 17, 2026 Jul 10, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can...Show more In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system command.Show less
CVE-2019-0327 1Sap 1Netweaver Application Server Java Jun 17, 2026 Jul 10, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script fil...Show more SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.Show less
CVE-2019-13464 1Modsecurity 1Owasp Modsecurity Core Rule Set Jun 17, 2026 Jul 9, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in cert...Show more An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.Show less
CVE-2019-12971 1G U 1Bks Ebk Ethernet Buskoppler Pro Firmware Jun 17, 2026 Jul 5, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 BKS EBK Ethernet-Buskoppler Pro before 3.01 allows Unrestricted Upload of a File with a Dangerous Type.
CVE-2019-13294 1Arox 1School Erp Jun 17, 2026 Jul 4, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.
CVE-2019-7257 1Nortekcontrol 2Linear Emerge Elite Firmware Linear Emerge Essential Firmware Jun 17, 2026 Jul 2, 2019 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 Linear eMerge E3-Series devices allow Unrestricted File Upload.

Previous 1...185186187...206 Next