Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CVEs (4,107)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-10648 1Citrix 1Xenmobile Server Nov 21, 2024 May 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 There are Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2017-2617 1Hawt 1Hawtio Aug 5, 2025 May 22, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed.
CVE-2018-11322 1Joomla 1Joomla Nov 21, 2024 May 22, 2018 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
CVE-2018-11345 1Asustor 1As6202t Firmware Nov 21, 2024 May 22, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on th...Show more An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the filename parameter is vulnerable to path traversal and allows the attacker to place the file anywhere on the system.Show less
CVE-2018-11340 1Asustor 1As6202t Firmware Nov 21, 2024 May 22, 2018 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the fi...Show more An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed.Show less
CVE-2018-11331 1Pluck Cms 1Pluck Nov 21, 2024 May 21, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-4921 1Adobe 1Connect Nov 21, 2024 May 19, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Adobe Connect versions 9.7 and earlier have an exploitable unrestricted SWF file upload vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-10760 1Projectpier 1Projectpier Nov 21, 2024 May 16, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing...Show more Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the tmp directory under the document root.Show less
CVE-2018-7505 1Advantech 4Webaccess Webaccess/nmsWebaccess Dashboard+1 more Jun 17, 2026 May 15, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and pri...Show more In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.Show less
CVE-2018-11098 1Frog Cms Project 1Frog Cms Nov 21, 2024 May 15, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Frog CMS 0.9.5. There is a file upload vulnerability via the admin/?/plugin/file_manager/upload URI, a similar issue to CVE-2014-4912.
CVE-2018-11091 1Mybiz 1Myprocurenet May 29, 2026 May 14, 2018 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerabil...Show more An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as a legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server.Show less
CVE-2018-0587 1Ultimatemember 1User Profile & Membership Nov 21, 2024 May 14, 2018 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.
CVE-2018-0568 1Sitebridge 1Joruri Gw Nov 21, 2024 May 14, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Unrestricted file upload vulnerability in SiteBridge Inc. Joruri Gw Ver 3.2.0 and earlier allows remote authenticated users to execute arbitrary PHP code via unspecified vectors.
CVE-2018-10942 1Attribute Wizard Project 1Attribute Wizard Nov 21, 2024 May 10, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file.
CVE-2018-2420 1Sap 1Internet Graphics Server Nov 21, 2024 May 9, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to upload any file (including script files) without proper file format validation.
CVE-2018-10795 1Liferay 1Liferay Portal Nov 21, 2024 May 7, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/br...Show more Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload filesShow less
CVE-2018-0258 1Cisco 2Prime Data Center Network Manager Prime Infrastructure Nov 21, 2024 May 2, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute th...Show more A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute those files. This vulnerability affects the following products: Cisco Prime Data Center Network Manager (DCNM) Version 10.0 and later, and Cisco Prime Infrastructure (PI) All versions. Cisco Bug IDs: CSCvf32411, CSCvf81727.Show less
CVE-2018-10577 1Watchguard 4Ap100 Firmware Ap102 FirmwareAp200 Firmware+1 more Nov 21, 2024 May 2, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. File upload functionality allows any users authenticated on the web in...Show more An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. File upload functionality allows any users authenticated on the web interface to upload files containing code to the web root, allowing these files to be executed as root.Show less
CVE-2016-10036 1Jfrog 1Artifactory Nov 21, 2024 May 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (...Show more Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file.Show less
CVE-2018-10521 1Cmsmadesimple 1Cms Made Simple Nov 21, 2024 Apr 27, 2018 N/A· v4 2.7 LOW· v3 4.0 MEDIUM· v2 In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be mov...Show more In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in the admin dashboard contains an arbitrary file movement vulnerability that can cause DoS, exploitable by an admin user, because config.php can be moved into an incorrect directory.Show less

Previous 1...196197198...206 Next