Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-19562 1Phpok 1Phpok Nov 21, 2024 Nov 26, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in PHPok 4.9.015. admin.php?c=update&f=unzip allows remote attackers to execute arbitrary code via a "Login Background > Program Upgrade > Compressed Packet Upgrade" action in which a .php file is...Show more An issue was discovered in PHPok 4.9.015. admin.php?c=update&f=unzip allows remote attackers to execute arbitrary code via a "Login Background > Program Upgrade > Compressed Packet Upgrade" action in which a .php file is inside a ZIP archive.Show less
CVE-2018-19550 1Interspire 1Email Marketer Nov 21, 2024 Nov 26, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Interspire Email Marketer through 6.1.6 allows arbitrary file upload via a surveys_submit.php "create survey and submit survey" operation, which can cause a .php file to be accessible under a admin/temp/surveys/ URI.
CVE-2018-19537 1Tp Link 1Archer C5 Firmware Nov 21, 2024 Nov 26, 2018 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 TP-Link Archer C5 devices through V2_160201_US allow remote command execution via shell metacharacters on the wan_dyn_hostname line of a configuration file that is encrypted with the 478DA50BF9E3D2CF key and uploaded thr...Show more TP-Link Archer C5 devices through V2_160201_US allow remote command execution via shell metacharacters on the wan_dyn_hostname line of a configuration file that is encrypted with the 478DA50BF9E3D2CF key and uploaded through the web GUI by using the web admin account. The default password of admin may be used in some cases.Show less
CVE-2018-19457 1Logicspice 1Faq Script Nov 21, 2024 Nov 22, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Logicspice FAQ Script 2.9.7 allows uploading arbitrary files, which leads to remote command execution via admin/faqs/faqimages with a .php file.
CVE-2018-19424 1Clippercms 1Clippercms Nov 21, 2024 Nov 21, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 ClipperCMS 1.3.3 allows remote authenticated administrators to upload .htaccess files.
CVE-2018-19423 1Codiad 1Codiad Nov 21, 2024 Nov 21, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Codiad 2.8.4 allows remote authenticated administrators to execute arbitrary code by uploading an executable file.
CVE-2018-19422 1Intelliants 1Subrion Cms Nov 21, 2024 Nov 21, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
CVE-2018-19421 1Get Simple 1Getsimple Cms Nov 21, 2024 Nov 21, 2018 N/A· v4 3.8 LOW· v3 4.0 MEDIUM· v2 In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.
CVE-2018-19420 1Get Simple 1Getsimple Cms Nov 21, 2024 Nov 21, 2018 N/A· v4 3.8 LOW· v3 4.0 MEDIUM· v2 In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.a...Show more In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.Show less
CVE-2018-18565 1Roche 5Accu Chek Inform Ii Firmware Coaguchek Pro Ii FirmwareCoaguchek Xs Plus Firmware+2 more Nov 21, 2024 Nov 20, 2018 N/A· v4 6.8 MEDIUM· v3 4.1 MEDIUM· v2 An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before...Show more An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial number below KQ0400000 or KS0400000), and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). A vulnerability in the software update mechanism allows authenticated attackers in the adjacent network to overwrite arbitrary files on the system through a crafted update package.Show less
CVE-2018-18563 1Roche 5Accu Chek Inform Ii Firmware Coaguchek Pro Ii FirmwareCoaguchek Xs Plus Firmware+2 more Nov 21, 2024 Nov 20, 2018 N/A· v4 9.6 CRITICAL· v3 8.3 HIGH· v2 An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before...Show more An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial Number below KQ0400000 or KS0400000) and cobas h 232 before 04.00.04 (Serial Number above KQ0400000 or KS0400000). Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted Poct1-A message.Show less
CVE-2018-9209 1Fineuploader 1Php Traditional Server Jun 17, 2026 Nov 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
CVE-2018-9207 1Hayageek 1Jquery Upload File Jun 17, 2026 Nov 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Arbitrary file upload in jQuery Upload File <= 4.0.2
CVE-2018-19355 2Mypresta Prestashop 2Customer Files Upload Prestashop Nov 21, 2024 Nov 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.ph...Show more modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).Show less
CVE-2018-18793 1School Event Management System Project 1School Event Management System Nov 21, 2024 Nov 16, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.
CVE-2018-0686 1Neo 2Debun Imap Debun Pop Nov 21, 2024 Nov 15, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote authenticated attackers to upload and execute any executable files via unspecified vectors.
CVE-2018-19126 1Prestashop 1Prestashop Nov 21, 2024 Nov 9, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
CVE-2018-9208 1Tuyoshi 1Jquery Picture Cut Jun 17, 2026 Nov 5, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta
CVE-2018-18942 1Basercms 1Basercms Nov 21, 2024 Nov 5, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form data[ThemeConfig][logo] parameter.
CVE-2018-18934 1Popojicms 1Popojicms Nov 21, 2024 Nov 5, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (t...Show more An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.Show less

Previous 1...191192193...206 Next