CWE-434
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1
CVEs mapped to this weakness (1,669)
page 78 of 84| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-41711 | 0.00 | — | 0.02 | Oct 25, 2022 | Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | |||
| CVE-2022-42092 | — | 0.00 | — | 0.01 | Oct 7, 2022 | Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are required. | ||
| CVE-2022-3257 | 0.00 | — | 0.01 | Sep 23, 2022 | Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | |||
| CVE-2022-2872 | 0.00 | — | 0.01 | Sep 21, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3. | |||
| CVE-2022-38916 | 0.00 | — | 0.16 | Sep 20, 2022 | A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files | |||
| CVE-2020-21516 | — | 0.00 | — | 0.01 | Sep 6, 2022 | There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code. | ||
| CVE-2022-34971 | — | 0.00 | — | 0.01 | Jul 27, 2022 | An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file. | ||
| CVE-2022-34115 | 0.00 | — | 0.01 | Jul 22, 2022 | DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId. | |||
| CVE-2022-32065 | 0.00 | — | 0.01 | Jul 13, 2022 | An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file. | |||
| CVE-2022-32114 | 0.00 | — | 0.02 | Jul 13, 2022 | An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be… | |||
| CVE-2022-31943 | — | 0.00 | — | 0.01 | Jul 1, 2022 | MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. | ||
| CVE-2017-20063 | — | 0.00 | — | 0.01 | Jun 20, 2022 | A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classified as critical. Affected is an unknown function of the file /filemanager/upload/drop of the component File Upload. The manipulation leads to improper privilege management. It is possible to launch the attack… | ||
| CVE-2022-2111 | 0.00 | — | 0.01 | Jun 17, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. | |||
| CVE-2022-30506 | — | 0.00 | — | 0.03 | May 27, 2022 | An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file. | ||
| CVE-2022-29637 | — | 0.00 | — | 0.01 | May 26, 2022 | An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file. | ||
| CVE-2022-1811 | 0.00 | — | 0.01 | May 23, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9. | |||
| CVE-2021-41938 | — | 0.00 | — | 0.01 | May 19, 2022 | An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations. | ||
| CVE-2022-30945 | 0.00 | — | 0.01 | May 17, 2022 | Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. | |||
| CVE-2022-29351 | — | 0.00 | — | 0.02 | May 16, 2022 | An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here. | ||
| CVE-2022-29623 | — | 0.00 | — | 0.01 | May 16, 2022 | An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report. |
- CVE-2022-41711Oct 25, 2022risk 0.00cvss —epss 0.02
Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
- CVE-2022-42092Oct 7, 2022risk 0.00cvss —epss 0.01
Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are required.
- CVE-2022-3257Sep 23, 2022risk 0.00cvss —epss 0.01
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
- CVE-2022-2872Sep 21, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.
- CVE-2022-38916Sep 20, 2022risk 0.00cvss —epss 0.16
A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files
- CVE-2020-21516Sep 6, 2022risk 0.00cvss —epss 0.01
There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code.
- CVE-2022-34971Jul 27, 2022risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-34115Jul 22, 2022risk 0.00cvss —epss 0.01
DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId.
- CVE-2022-32065Jul 13, 2022risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file.
- CVE-2022-32114Jul 13, 2022risk 0.00cvss —epss 0.02
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be…
- CVE-2022-31943Jul 1, 2022risk 0.00cvss —epss 0.01
MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.
- CVE-2017-20063Jun 20, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classified as critical. Affected is an unknown function of the file /filemanager/upload/drop of the component File Upload. The manipulation leads to improper privilege management. It is possible to launch the attack…
- CVE-2022-2111Jun 17, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
- CVE-2022-30506May 27, 2022risk 0.00cvss —epss 0.03
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
- CVE-2022-29637May 26, 2022risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.
- CVE-2022-1811May 23, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.
- CVE-2021-41938May 19, 2022risk 0.00cvss —epss 0.01
An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.
- CVE-2022-30945May 17, 2022risk 0.00cvss —epss 0.01
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
- CVE-2022-29351May 16, 2022risk 0.00cvss —epss 0.02
An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here.
- CVE-2022-29623May 16, 2022risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report.