Search Results (3744 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-12929 1 Tecnovision 1 Dlx Spot Player4 2025-04-20 N/A
Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.
CVE-2017-11326 1 Tilde Cms Project 1 Tilde Cms 2025-04-20 N/A
An issue was discovered in Tilde CMS 1.0.1. It is possible to bypass the implemented restrictions on arbitrary file upload via a filename.+php manipulation.
CVE-2017-1002008 1 Membership Simplified Project 1 Membership Simplified 2025-04-20 9.8 Critical
Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges.
CVE-2017-5520 1 Metalgenix 1 Genixcms 2025-04-20 N/A
The media rename feature in GeniXCMS through 0.0.8 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to rename and execute files with the `.php6`, `.php7` and `.phtml` extensions.
CVE-2017-6027 1 Codesys 1 Web Server 2025-04-20 N/A
An Arbitrary File Upload issue was discovered in 3S-Smart Software Solutions GmbH CODESYS Web Server. The following versions of CODESYS Web Server, part of the CODESYS WebVisu web browser visualization software, are affected: CODESYS Web Server Versions 2.3 and prior. A specially crafted web server request may allow the upload of arbitrary files (with a dangerous type) to the CODESYS Web Server without authorization which may allow remote code execution.
CVE-2017-9380 1 Open-emr 1 Openemr 2025-04-20 8.8 High
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
CVE-2017-14050 1 Blackcat-cms 1 Blackcat Cms 2025-04-20 N/A
In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file.
CVE-2015-2780 1 Berta 1 Berta Cms 2025-04-20 N/A
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
CVE-2017-3108 1 Adobe 1 Experience Manager 2025-04-20 N/A
Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability.
CVE-2014-9312 1 10web 1 Photo Gallery 2025-04-20 N/A
Unrestricted File Upload vulnerability in Photo Gallery 1.2.5.
CVE-2017-16524 2 Hanwhasecurity, Samsung 2 Web Viewer, Srn-1670d 2025-04-20 N/A
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
CVE-2017-16941 1 Octobercms 1 October 2025-04-20 N/A
October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering.
CVE-2017-15957 1 Ingenious School Management System Project 1 Ingenious School Management System 2025-04-20 N/A
my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
CVE-2017-10940 1 Joyent 1 Triton Datacenter 2025-04-20 N/A
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Joyent Smart Data Center prior to [email protected] (e469cf49-4de3-4658-8419-ab42837916ad). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the docker API. The process does not properly validate user-supplied data which can allow for the upload of arbitrary files. An attacker can leverage this vulnerability to execute arbitrary code under the context of root. Was ZDI-CAN-3853.
CVE-2017-1002003 1 Wp2android-turn-wp-site-into-android-app Project 1 Wp2android-turn-wp-site-into-android-app 2025-04-20 N/A
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
CVE-2017-1002001 1 Mobile-app-builder-by-wappress Project 1 Mobile-app-builder-by-wappress 2025-04-20 N/A
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
CVE-2016-6124 1 Ibm 1 Kenexa Lms On Cloud 2025-04-20 N/A
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
CVE-2016-0354 1 Ibm 1 Sametime 2025-04-20 N/A
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which could be executed with user privileges. IBM X-Force ID: 111893.
CVE-2017-1000194 1 Octobercms 1 October 2025-04-20 N/A
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server.
CVE-2017-16949 1 Accesspressthemes 1 Anonymous Post Pro 2025-04-20 N/A
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution.