CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,130 vulnerabilities with CWE-434
CVE-2021-41644 CRITICAL
Sourcecodester Online Food Ordering System 2.0 - Remote Code Execution via PHP File Upload Bypass
CVSS 9.8
CVE-2021-41643 CRITICAL
Church Management System 1.0 - Remote Code Execution via Image Upload Field
CVSS 9.8
CVE-2021-41675 HIGH
e-negosyo_system 1.0 - Authenticated Remote Code Execution via Image Upload MIME Validation Bypass
CVSS 7.2
CVE-2021-36548 CRITICAL
Monstra 3.0.4 - Remote Code Execution via Theme Template File Upload
CVSS 9.8
CVE-2021-36547 CRITICAL
mara_cms 7.5 - Remote Code Execution via File Upload in /codebase/dir.php
CVSS 9.8
CVE-2021-3745 MEDIUM
flatcore-cms - Unrestricted Upload of File with Dangerous Type
CVSS 6.6
CVE-2021-3906 MEDIUM
BookStack < 21.10.1 - Unrestricted Upload of File with Dangerous Type
CVSS 6.5
CVE-2021-37221 HIGH
Customer Relationship Management System - Unrestricted File Upload
CVSS 8.8
CVE-2021-37372 HIGH
Online Student Admission System 1.0 - Authenticated Remote Code Execution via Profile Image Upload
CVSS 8.8
CVE-2021-40344 HIGH
Nagios XI 5.8.5 - Authenticated Remote Code Execution via Custom Includes File Upload
CVSS 7.2
CVE-2021-41178 HIGH
Nextcloud <20.0.13, 21.0.5, 22.2.0 - Path Traversal
CVSS 8.8
CVE-2021-39221 MEDIUM
Nextcloud Contacts < 4.0.3 - Stored Cross-Site Scripting via Malicious File Right-Click
CVSS 6.4
CVE-2021-42840 HIGH
SuiteCRM < 7.11.19 - Remote Code Execution via Log File Name Setting
CVSS 8.8
CVE-2021-41745 CRITICAL
ShowDoc < 2.8.5 - Unauthenticated Unrestricted File Upload
CVSS 9.8
CVE-2021-38471 CRITICAL
versiondog < 8.0.0 - Unauthenticated Arbitrary File Write via API Function Codes
CVSS 9.1
CVE-2021-39352 HIGH
Wordpress Plugin Catch Themes Demo Import RCE
CVSS 7.2
CVE-2021-3846 HIGH
firefly-iii - Unrestricted Upload of File with Dangerous Type
CVSS 8.8
CVE-2021-38484 CRITICAL
InHand Networks IR615 Router <2.3.0.r4870 - RCE
CVSS 9.1
CVE-2021-38346 HIGH
Brizy Page Builder <=2.3.11 - Path Traversal
CVSS 8.8
CVE-2021-42342 CRITICAL
GoAhead 4.0.0-4.1.3 and 5.x < 5.1.5 - Unrestricted File Upload via CGI Environment Variable Tunneling
CVSS 9.8
CVE-2021-20131 HIGH
ManageEngine ADManager Plus < 7.1 - Authenticated Remote Code Execution via Personalization File Upload
CVSS 8.8
CVE-2021-20130 HIGH
ManageEngine ADManager Plus < 7.1 - Authenticated Remote Code Execution via PasswordExpiry File Upload
CVSS 8.8
CVE-2021-20125 CRITICAL
Draytek VigorConnect 1.6.0-B3 - Unauthenticated Arbitrary File Upload and Path Traversal via DownloadFileServlet
CVSS 9.8
CVE-2021-40189 HIGH
PHPFusion 9.03.110 - Remote Code Execution via Theme File Extraction
CVSS 7.2
CVE-2021-40188 HIGH
PHPFusion 9.03.110 - Code Injection
CVSS 7.2
Details
Vulnerabilities 4,130
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits