CWE-434
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1
CVEs mapped to this weakness (1,669)
page 76 of 84| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-5227 | — | 0.00 | — | 0.01 | Sep 30, 2023 | Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8. | ||
| CVE-2023-38874 | — | 0.00 | — | 0.28 | Sep 28, 2023 | A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may… | ||
| CVE-2023-43497 | 0.00 | — | 0.01 | Sep 20, 2023 | In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to… | |||
| CVE-2023-38887 | 0.00 | — | 0.01 | Sep 20, 2023 | File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. | |||
| CVE-2023-41626 | — | 0.00 | — | 0.00 | Sep 15, 2023 | Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface. | ||
| CVE-2022-40896 | 0.00 | — | 0.01 | Jul 19, 2023 | A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. | |||
| CVE-2023-3692 | 0.00 | — | 0.01 | Jul 16, 2023 | Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10. | |||
| CVE-2023-36809 | 0.00 | — | 0.01 | Jul 5, 2023 | Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing… | |||
| CVE-2023-36097 | 0.00 | — | 0.01 | Jun 22, 2023 | funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install. | |||
| CVE-2020-21489 | — | 0.00 | — | 0.01 | Jun 20, 2023 | File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component. | ||
| CVE-2020-21174 | 0.00 | — | 0.01 | Jun 20, 2023 | File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function. | |||
| CVE-2023-34660 | — | 0.00 | — | 0.01 | Jun 16, 2023 | jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface. | ||
| CVE-2023-33498 | 0.00 | — | 0.01 | Jun 7, 2023 | alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | |||
| CVE-2023-33977 | 0.00 | — | 0.01 | Jun 6, 2023 | Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files… | |||
| CVE-2023-32689 | 0.00 | — | 0.01 | May 30, 2023 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file… | |||
| CVE-2023-32686 | 0.00 | — | 0.00 | May 27, 2023 | Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files… | |||
| CVE-2020-22755 | — | 0.00 | — | 0.01 | May 8, 2023 | File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943. | ||
| CVE-2022-45802 | 0.00 | — | 0.01 | May 1, 2023 | Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark… | |||
| CVE-2022-25277 | — | 0.00 | — | 0.01 | Apr 26, 2023 | Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two… | ||
| CVE-2023-30613 | 0.00 | — | 0.01 | Apr 24, 2023 | Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file… |
- CVE-2023-5227Sep 30, 2023risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
- CVE-2023-38874Sep 28, 2023risk 0.00cvss —epss 0.28
A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may…
- CVE-2023-43497Sep 20, 2023risk 0.00cvss —epss 0.01
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to…
- CVE-2023-38887Sep 20, 2023risk 0.00cvss —epss 0.01
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
- CVE-2023-41626Sep 15, 2023risk 0.00cvss —epss 0.00
Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.
- CVE-2022-40896Jul 19, 2023risk 0.00cvss —epss 0.01
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
- CVE-2023-3692Jul 16, 2023risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.
- CVE-2023-36809Jul 5, 2023risk 0.00cvss —epss 0.01
Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing…
- CVE-2023-36097Jun 22, 2023risk 0.00cvss —epss 0.01
funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install.
- CVE-2020-21489Jun 20, 2023risk 0.00cvss —epss 0.01
File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component.
- CVE-2020-21174Jun 20, 2023risk 0.00cvss —epss 0.01
File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function.
- CVE-2023-34660Jun 16, 2023risk 0.00cvss —epss 0.01
jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface.
- CVE-2023-33498Jun 7, 2023risk 0.00cvss —epss 0.01
alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.
- CVE-2023-33977Jun 6, 2023risk 0.00cvss —epss 0.01
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files…
- CVE-2023-32689May 30, 2023risk 0.00cvss —epss 0.01
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file…
- CVE-2023-32686May 27, 2023risk 0.00cvss —epss 0.00
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files…
- CVE-2020-22755May 8, 2023risk 0.00cvss —epss 0.01
File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.
- CVE-2022-45802May 1, 2023risk 0.00cvss —epss 0.01
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark…
- CVE-2022-25277Apr 26, 2023risk 0.00cvss —epss 0.01
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two…
- CVE-2023-30613Apr 24, 2023risk 0.00cvss —epss 0.01
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file…