Total
3802 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47823 | 1 Laravel | 1 Livewire | 2025-03-06 | N/A | 9.8 CRITICAL |
| Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-8425 | 1 Wpswings | 1 Woocommerce Ultimate Gift Card | 2025-03-06 | N/A | 9.8 CRITICAL |
| The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-2604 | 1 Remyandrade | 1 File Manager App | 2025-03-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SourceCodester File Manager App 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/update-file.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257182 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-32562 | 1 Ivanti | 1 Avalanche | 2025-03-06 | N/A | 9.8 CRITICAL |
| An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1. | |||||
| CVE-2024-38529 | 1 Admidio | 1 Admidio | 2025-03-06 | N/A | 9.0 CRITICAL |
| Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10. | |||||
| CVE-2024-13869 | 1 Wpvivid | 1 Wpvivid Backup \& Migration | 2025-03-05 | N/A | 7.2 HIGH |
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers. | |||||
| CVE-2021-33352 | 1 Wyomind | 1 Help Desk | 2025-03-05 | N/A | 9.8 CRITICAL |
| An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field. | |||||
| CVE-2024-29859 | 1 Misp | 1 Misp | 2025-03-05 | N/A | 9.8 CRITICAL |
| In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. | |||||
| CVE-2024-5043 | 1 Emlog | 1 Emlog | 2025-03-05 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Emlog Pro 2.3.4 and classified as critical. Affected by this issue is some unknown functionality of the file admin/setting.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264740. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2565 | 1 Pandax | 1 Pandax | 2025-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257064. | |||||
| CVE-2024-2561 | 1 74cms | 1 74cms | 2025-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in 74CMS 3.28.0. Affected by this issue is the function sendCompanyLogo of the file /controller/company/Index.php#sendCompanyLogo of the component Company Logo Handler. The manipulation of the argument imgBase64 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257060. | |||||
| CVE-2024-25034 | 1 Ibm | 1 Planning Analytics | 2025-03-05 | N/A | 8.0 HIGH |
| IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks. | |||||
| CVE-2024-40693 | 1 Ibm | 1 Planning Analytics | 2025-03-05 | N/A | 8.0 HIGH |
| IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. | |||||
| CVE-2023-22890 | 1 Smartbear | 1 Zephyr Enterprise | 2025-03-05 | N/A | 7.5 HIGH |
| SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition. | |||||
| CVE-2025-1890 | 1 Shishuocms Project | 1 Shishuocms | 2025-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in shishuocms 1.1 and classified as critical. This vulnerability affects the function handleRequest of the file src/main/java/com/shishuo/cms/action/manage/ManageUpLoadAction.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-23328 | 1 Avantfax | 1 Avantfax | 2025-03-04 | N/A | 8.8 HIGH |
| A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. | |||||
| CVE-2025-0341 | 1 Campcodes | 1 Computer Laboratory Management System | 2025-03-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in CampCodes Computer Laboratory Management System 1.0. Affected by this issue is some unknown functionality of the file /class/edit/edit. The manipulation of the argument e_photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-45599 | 1 Ailux | 1 Imx6 | 2025-03-03 | N/A | 5.5 MEDIUM |
| A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2025-1835 | 2025-03-03 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in osuuu LightPicture 1.2.2 and classified as critical. This vulnerability affects the function upload of the file /app/controller/Api.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-56897 | 1 Yitechnology | 2 Yi Car Dashcam, Yi Car Dashcam Firmware | 2025-03-03 | N/A | 9.8 CRITICAL |
| Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset. | |||||