VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 71 of 84
  • CVE-2021-44673Mar 10, 2022
    risk 0.03cvss epss 0.09

    A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.

  • CVE-2012-1592Dec 5, 2019
    risk 0.03cvss epss 0.29

    A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

  • CVE-2006-4558Sep 6, 2006
    risk 0.03cvss epss 0.04

    DeluxeBB 1.06 and earlier, when run on the Apache HTTP Server with the mod_mime module, allows remote attackers to execute arbitrary PHP code by uploading files with double extensions via the fileupload parameter in a newthread action in newpost.php.

  • CVE-2005-1881Jun 6, 2005
    risk 0.03cvss epss 0.03

    upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict the file extension for uploaded image files, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code.

  • CVE-2024-22393Feb 22, 2024
    risk 0.02cvss epss 0.02

    Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image…

  • CVE-2023-49052Nov 30, 2023
    risk 0.02cvss epss 0.02

    File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.

  • CVE-2023-41564Sep 8, 2023
    risk 0.02cvss epss 0.01

    An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

  • CVE-2021-21344Mar 22, 2021
    risk 0.02cvss epss 0.76

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is…

  • CVE-2018-9207Nov 19, 2018
    risk 0.02cvss epss 0.03

    Arbitrary file upload in jQuery Upload File <= 4.0.2

  • CVE-2024-55417Jan 30, 2025
    risk 0.01cvss epss 0.12

    DevDojo Voyager through version 1.8.0 is vulnerable to bypassing the file type verification when an authenticated user uploads a file via /admin/media/upload. An authenticated user can upload a web shell causing arbitrary code execution on the server.

  • CVE-2022-41705Nov 25, 2022
    risk 0.01cvss epss 0.02

    Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

  • CVE-2021-46036Feb 18, 2022
    risk 0.01cvss epss 0.04

    An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.

  • CVE-2021-44255Jan 31, 2022
    risk 0.01cvss epss 0.03

    Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.

  • CVE-2021-46386Jan 26, 2022
    risk 0.01cvss epss 0.03

    File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.

  • CVE-2021-21350Mar 22, 2021
    risk 0.01cvss epss 0.15

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the…

  • CVE-2019-19634Dec 17, 2019
    risk 0.01cvss epss 0.04

    class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

  • CVE-2018-19422Nov 21, 2018
    risk 0.01cvss epss 0.64

    /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

  • CVE-2018-14028HigAug 10, 2018
    risk 0.01cvss 7.2epss 0.18

    In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an…

  • CVE-2001-0340Jul 21, 2001
    risk 0.01cvss epss 0.06

    An interaction between the Outlook Web Access (OWA) service in Microsoft Exchange 2000 Server and Internet Explorer allows attackers to execute malicious script code against a user's mailbox via a message attachment that contains HTML code, which is executed automatically.

  • CVE-2026-55778lowJun 19, 2026
    risk 0.00cvss epss

    ### Impact Parse Server's default `fileUpload.fileExtensions` blocklist is intended to prevent uploading files that browsers render as active content (such as HTML and SVG), which can be used to perform stored cross-site scripting (XSS) attacks against other users. The…