Total
3531 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-3436 | 1 Cisco | 3 Adaptive Security Appliance, Adaptive Security Appliance Software, Firepower Threat Defense | 2024-11-21 | 8.6 High |
| A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to upload arbitrary-sized files to specific folders on an affected device, which could lead to an unexpected device reload. The vulnerability exists because the affected software does not efficiently handle the writing of large files to specific folders on the local file system. An attacker could exploit this vulnerability by uploading files to those specific folders. A successful exploit could allow the attacker to write a file that triggers a watchdog timeout, which would cause the device to unexpectedly reload, causing a denial of service (DoS) condition. | ||||
| CVE-2020-36706 | 1 Simple-press | 1 Simple\ | 2024-11-21 | 9.8 Critical |
| The Simple:Press – WordPress Forum Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ~/admin/resources/jscript/ajaxupload/sf-uploader.php file in versions up to, and including, 6.6.0. This makes it possible for attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2020-36485 | 1 Madeportable | 1 Playable | 2024-11-21 | 7.8 High |
| Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file. | ||||
| CVE-2020-36388 | 1 Civicrm | 1 Civicrm | 2024-11-21 | 8.8 High |
| In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive. | ||||
| CVE-2020-36167 | 1 Veritas | 1 Backup Exec | 2024-11-21 | 9.3 Critical |
| An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf. A low privileged user can create a :\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain. | ||||
| CVE-2020-36141 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | 8.8 High |
| BloofoxCMS 0.5.2.1 allows Unrestricted File Upload vulnerability via bypass MIME Type validation by inserting 'image/jpeg' within the 'Content-Type' header. | ||||
| CVE-2020-36082 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | 9.8 Critical |
| File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module. | ||||
| CVE-2020-36079 | 1 Zenphoto | 1 Zenphoto | 2024-11-21 | 7.2 High |
| Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has "lots of other possibilities to harm a site. | ||||
| CVE-2020-35949 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 10 Critical |
| An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file. | ||||
| CVE-2020-35945 | 1 Elegant Themes | 3 Divi, Divi Builder, Divi Extra | 2024-11-21 | 9.9 Critical |
| An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side. | ||||
| CVE-2020-35797 | 1 Netgear | 2 Nms300, Nms300 Firmware | 2024-11-21 | 9.8 Critical |
| NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker. | ||||
| CVE-2020-35760 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | 9.8 Critical |
| bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files). | ||||
| CVE-2020-35657 | 1 Jaws Project | 1 Jaws | 2024-11-21 | 7.2 High |
| Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product. | ||||
| CVE-2020-35656 | 1 Jaws Project | 1 Jaws | 2024-11-21 | 7.2 High |
| Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product. | ||||
| CVE-2020-35627 | 1 Woocommerce | 1 Gift Cards | 2024-11-21 | 8.8 High |
| Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server. | ||||
| CVE-2020-35489 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | 10.0 Critical |
| The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | ||||
| CVE-2020-35442 | 1 Fangfa | 1 Fdcms | 2024-11-21 | 9.8 Critical |
| FDCMS (also known as Fangfa Content Management System) 4.0 allows remote attackers to get a webshell in the background via Front/lib/Action/FindexAction.class.php. | ||||
| CVE-2020-35133 | 1 Irfanview | 1 Irfanview | 2024-11-21 | 7.5 High |
| irfanView 4.56 contains an error processing parsing files of type .pcx. Which leads to out-of-bounds writing at i_view32+0xdb60. | ||||
| CVE-2020-2730 | 1 Oracle | 1 Revenue Management And Billing | 2024-11-21 | 5.4 Medium |
| Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | ||||
| CVE-2020-29597 | 1 Incomcms Project | 1 Incomcms | 2024-11-21 | 9.8 Critical |
| IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server. | ||||