VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 79 of 84
  • CVE-2022-29622May 16, 2022
    risk 0.00cvss epss 0.03

    An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also,…

  • CVE-2022-1411May 5, 2022
    risk 0.00cvss epss 0.01

    Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals…

  • CVE-2022-28397Apr 12, 2022
    risk 0.00cvss epss 0.04

    An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this…

  • CVE-2022-27952Apr 12, 2022
    risk 0.00cvss epss 0.02

    An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.

  • CVE-2022-27263Apr 12, 2022
    risk 0.00cvss epss 0.03

    An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.

  • CVE-2022-27261Apr 12, 2022
    risk 0.00cvss epss 0.01

    An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.

  • CVE-2022-27260Apr 12, 2022
    risk 0.00cvss epss 0.03

    An arbitrary file upload vulnerability in the file upload component of ButterCMS v1.2.8 allows attackers to execute arbitrary code via a crafted SVG file.

  • CVE-2022-27139Apr 12, 2022
    risk 0.00cvss epss 0.04

    An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated…

  • CVE-2022-27115Apr 11, 2022
    risk 0.00cvss epss 0.29

    In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.

  • CVE-2021-43421Apr 7, 2022
    risk 0.00cvss epss 0.43

    A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.

  • CVE-2021-34257Mar 31, 2022
    risk 0.00cvss epss 0.02

    Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image.

  • CVE-2022-1034Mar 22, 2022
    risk 0.00cvss epss 0.01

    There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in GitHub repository star7th/showdoc prior to 2.10.4.

  • CVE-2022-0415Mar 21, 2022
    risk 0.00cvss epss 0.65

    Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.

  • CVE-2022-0959Mar 16, 2022
    risk 0.00cvss epss 0.01

    A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.

  • CVE-2022-0951Mar 15, 2022
    risk 0.00cvss epss 0.01

    File Upload Restriction Bypass leading to Stored XSS Vulnerability in GitHub repository star7th/showdoc prior to 2.10.4.

  • CVE-2022-0950Mar 15, 2022
    risk 0.00cvss epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository star7th/showdoc prior to 2.10.4.

  • CVE-2022-24749Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or…

  • CVE-2021-42171Mar 14, 2022
    risk 0.00cvss epss 0.02

    Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.

  • CVE-2022-0960Mar 14, 2022
    risk 0.00cvss epss 0.01

    Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.

  • CVE-2022-0921Mar 11, 2022
    risk 0.00cvss epss 0.02

    Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.