VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 76 of 84
  • CVE-2023-5227Sep 30, 2023
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

  • CVE-2023-38874Sep 28, 2023
    risk 0.00cvss epss 0.28

    A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may…

  • CVE-2023-43497Sep 20, 2023
    risk 0.00cvss epss 0.01

    In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to…

  • CVE-2023-38887Sep 20, 2023
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.

  • CVE-2023-41626Sep 15, 2023
    risk 0.00cvss epss 0.00

    Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.

  • CVE-2022-40896Jul 19, 2023
    risk 0.00cvss epss 0.01

    A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

  • CVE-2023-3692Jul 16, 2023
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.

  • CVE-2023-36809Jul 5, 2023
    risk 0.00cvss epss 0.01

    Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing…

  • CVE-2023-36097Jun 22, 2023
    risk 0.00cvss epss 0.01

    funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install.

  • CVE-2020-21489Jun 20, 2023
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component.

  • CVE-2020-21174Jun 20, 2023
    risk 0.00cvss epss 0.01

    File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function.

  • CVE-2023-34660Jun 16, 2023
    risk 0.00cvss epss 0.01

    jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface.

  • CVE-2023-33498Jun 7, 2023
    risk 0.00cvss epss 0.01

    alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.

  • CVE-2023-33977Jun 6, 2023
    risk 0.00cvss epss 0.01

    Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files…

  • CVE-2023-32689May 30, 2023
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file…

  • CVE-2023-32686May 27, 2023
    risk 0.00cvss epss 0.00

    Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files…

  • CVE-2020-22755May 8, 2023
    risk 0.00cvss epss 0.01

    File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.

  • CVE-2022-45802May 1, 2023
    risk 0.00cvss epss 0.01

    Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark…

  • CVE-2022-25277Apr 26, 2023
    risk 0.00cvss epss 0.01

    Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two…

  • CVE-2023-30613Apr 24, 2023
    risk 0.00cvss epss 0.01

    Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file…