VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 78 of 84
  • CVE-2022-41711Oct 25, 2022
    risk 0.00cvss epss 0.02

    Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

  • CVE-2022-42092Oct 7, 2022
    risk 0.00cvss epss 0.01

    Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are required.

  • CVE-2022-3257Sep 23, 2022
    risk 0.00cvss epss 0.01

    Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

  • CVE-2022-2872Sep 21, 2022
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.

  • CVE-2022-38916Sep 20, 2022
    risk 0.00cvss epss 0.16

    A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files

  • CVE-2020-21516Sep 6, 2022
    risk 0.00cvss epss 0.01

    There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code.

  • CVE-2022-34971Jul 27, 2022
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.

  • CVE-2022-34115Jul 22, 2022
    risk 0.00cvss epss 0.01

    DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId.

  • CVE-2022-32065Jul 13, 2022
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file.

  • CVE-2022-32114Jul 13, 2022
    risk 0.00cvss epss 0.02

    An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be…

  • CVE-2022-31943Jul 1, 2022
    risk 0.00cvss epss 0.01

    MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.

  • CVE-2017-20063Jun 20, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classified as critical. Affected is an unknown function of the file /filemanager/upload/drop of the component File Upload. The manipulation leads to improper privilege management. It is possible to launch the attack…

  • CVE-2022-2111Jun 17, 2022
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.

  • CVE-2022-30506May 27, 2022
    risk 0.00cvss epss 0.03

    An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.

  • CVE-2022-29637May 26, 2022
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.

  • CVE-2022-1811May 23, 2022
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.

  • CVE-2021-41938May 19, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.

  • CVE-2022-30945May 17, 2022
    risk 0.00cvss epss 0.01

    Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

  • CVE-2022-29351May 16, 2022
    risk 0.00cvss epss 0.02

    An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here.

  • CVE-2022-29623May 16, 2022
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report.