CWE-434
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1
CVEs mapped to this weakness (1,669)
page 80 of 84| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-0912 | 0.00 | — | 0.01 | Mar 11, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11. | |||
| CVE-2022-23043 | — | 0.00 | — | 0.01 | Feb 22, 2022 | Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run… | ||
| CVE-2022-0409 | — | 0.00 | — | 0.01 | Feb 19, 2022 | Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2. | ||
| CVE-2020-13675 | — | 0.00 | — | 0.01 | Feb 11, 2022 | Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by… | ||
| CVE-2022-0472 | — | 0.00 | — | 0.01 | Feb 4, 2022 | Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9. | ||
| CVE-2022-23315 | — | 0.00 | — | 0.02 | Jan 20, 2022 | MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do. | ||
| CVE-2022-22929 | — | 0.00 | — | 0.03 | Jan 20, 2022 | MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file. | ||
| CVE-2022-0263 | 0.00 | — | 0.01 | Jan 18, 2022 | Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7. | |||
| CVE-2022-0242 | 0.00 | — | 0.01 | Jan 17, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0. | |||
| CVE-2021-4080 | 0.00 | — | 0.01 | Jan 12, 2022 | crater is vulnerable to Unrestricted Upload of File with Dangerous Type | |||
| CVE-2021-23814 | 0.00 | — | 0.02 | Dec 17, 2021 | This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2.… | |||
| CVE-2021-23562 | — | 0.00 | — | 0.01 | Dec 3, 2021 | This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. | ||
| CVE-2021-3915 | 0.00 | — | 0.01 | Nov 13, 2021 | bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | |||
| CVE-2021-41745 | — | 0.00 | — | 0.01 | Oct 22, 2021 | ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions. | ||
| CVE-2021-3846 | 0.00 | — | 0.01 | Oct 19, 2021 | firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | |||
| CVE-2021-40324 | — | 0.00 | — | 0.69 | Oct 4, 2021 | Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | ||
| CVE-2020-21322 | — | 0.00 | — | 0.02 | Sep 15, 2021 | An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file. | ||
| CVE-2021-36440 | — | 0.00 | — | 0.05 | Sep 8, 2021 | Unrestricted File Upload in ShowDoc v2.9.5 allows remote attackers to execute arbitrary code via the 'file_url' parameter in the component AdminUpdateController.class.php'. | ||
| CVE-2021-39149 | 0.00 | — | 0.05 | Aug 23, 2021 | XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed… | |||
| CVE-2021-39151 | 0.00 | — | 0.05 | Aug 23, 2021 | XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed… |
- CVE-2022-0912Mar 11, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.
- CVE-2022-23043Feb 22, 2022risk 0.00cvss —epss 0.01
Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run…
- CVE-2022-0409Feb 19, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2.
- CVE-2020-13675Feb 11, 2022risk 0.00cvss —epss 0.01
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by…
- CVE-2022-0472Feb 4, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.
- CVE-2022-23315Jan 20, 2022risk 0.00cvss —epss 0.02
MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.
- CVE-2022-22929Jan 20, 2022risk 0.00cvss —epss 0.03
MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file.
- CVE-2022-0263Jan 18, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7.
- CVE-2022-0242Jan 17, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.
- CVE-2021-4080Jan 12, 2022risk 0.00cvss —epss 0.01
crater is vulnerable to Unrestricted Upload of File with Dangerous Type
- CVE-2021-23814Dec 17, 2021risk 0.00cvss —epss 0.02
This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2.…
- CVE-2021-23562Dec 3, 2021risk 0.00cvss —epss 0.01
This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.
- CVE-2021-3915Nov 13, 2021risk 0.00cvss —epss 0.01
bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type
- CVE-2021-41745Oct 22, 2021risk 0.00cvss —epss 0.01
ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions.
- CVE-2021-3846Oct 19, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type
- CVE-2021-40324Oct 4, 2021risk 0.00cvss —epss 0.69
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
- CVE-2020-21322Sep 15, 2021risk 0.00cvss —epss 0.02
An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2021-36440Sep 8, 2021risk 0.00cvss —epss 0.05
Unrestricted File Upload in ShowDoc v2.9.5 allows remote attackers to execute arbitrary code via the 'file_url' parameter in the component AdminUpdateController.class.php'.
- CVE-2021-39149Aug 23, 2021risk 0.00cvss —epss 0.05
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…
- CVE-2021-39151Aug 23, 2021risk 0.00cvss —epss 0.05
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…