VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 74 of 84
  • CVE-2024-8019Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted…

  • CVE-2025-27411Mar 5, 2025
    risk 0.00cvss epss 0.00

    REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.

  • CVE-2024-56515Jan 16, 2025
    risk 0.00cvss epss 0.01

    Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a…

  • CVE-2024-53677Dec 11, 2024
    risk 0.00cvss epss 0.78

    File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts:…

  • CVE-2024-53863Dec 3, 2024
    risk 0.00cvss epss 0.01

    Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools…

  • CVE-2024-47823Oct 8, 2024
    risk 0.00cvss epss 0.01

    Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from…

  • CVE-2024-45965Oct 2, 2024
    risk 0.00cvss epss 0.00

    Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6.

  • CVE-2024-45962Oct 2, 2024
    risk 0.00cvss epss 0.00

    October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript…

  • CVE-2024-45960Oct 2, 2024
    risk 0.00cvss epss 0.00

    Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.

  • CVE-2024-47528Oct 1, 2024
    risk 0.00cvss epss 0.00

    LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can…

  • CVE-2024-47169Sep 26, 2024
    risk 0.00cvss epss 0.01

    Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of…

  • CVE-2024-45398Sep 17, 2024
    risk 0.00cvss epss 0.01

    Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web…

  • CVE-2024-8296Aug 29, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely.…

  • CVE-2024-8295Aug 29, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerability affects the function createBanner of the file /admin/index.php?r=banner%2Fbanner-create. The manipulation of the argument BannerForm[img] leads to unrestricted upload. The…

  • CVE-2024-8294Aug 29, 2024
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unrestricted upload. It is possible to…

  • CVE-2024-38529Jul 29, 2024
    risk 0.00cvss epss 0.01

    Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the…

  • CVE-2024-40400Jul 19, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.

  • CVE-2024-31411Jul 17, 2024
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lead to a remote code execution (RCE). The unrestricted upload is only possible for authenticated and authorized users. This issue…

  • CVE-2024-5980Jun 27, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed…

  • CVE-2024-37821Jun 18, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.