CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,130 vulnerabilities with CWE-434
CVE-2021-35963 CRITICAL
Orca HCM < 10.0 - Unauthenticated Remote Code Execution via File Upload
CVSS 9.8
CVE-2021-29699 MEDIUM
IBM Security Verify Access Docker 10.0.0 - Authenticated Arbitrary File Upload
CVSS 6.8
CVE-2021-36121 HIGH
Echo ShareCare 8.15.5 - Path Traversal
CVSS 8.8
CVE-2021-30118 CRITICAL
Kaseya VSA < 9.5.5 - Unauthenticated Arbitrary File Upload and Remote Code Execution via SystemTab/uploader.aspx
CVSS 9.8
CVE-2021-28931 HIGH
Fork CMS < 5.9.3 - Arbitrary File Upload via Themes Panel Zip File
CVSS 8.8
CVE-2021-32538 CRITICAL
ARTWARE CMS < 2021-01-08 - Unauthenticated Arbitrary File Upload and Remote Code Execution via Image Upload Function
CVSS 9.8
CVE-2021-34624 CRITICAL
ProfilePress 3.0.0-3.1.3 - Unauthenticated Arbitrary File Upload via FileUploader Component
CVSS 9.8
CVE-2021-34623 CRITICAL
ProfilePress 3.0.0-3.1.3 - Unauthenticated Arbitrary File Upload via Image Uploader
CVSS 9.8
CVE-2021-20104 HIGH
Machform < 16 - Unauthenticated Remote Code Execution via File Attachment Upload
CVSS 8.1
CVE-2021-34427 CRITICAL
Eclipse BIRT < 4.8.0 - Remote Code Execution via JSP File Upload
CVSS 9.8
CVE-2021-34074 CRITICAL
PandoraFMS <= 754 - Remote Code Execution via File Manager Relative Path Bypass
CVSS 9.8
CVE-2021-28976 HIGH
GetSimpleCMS < 3.3.15 - Remote Code Execution via PHAR File Upload
CVSS 7.2
CVE-2021-24376 CRITICAL
Autoptimize < 2.7.8 - Remote Code Execution via Import Settings Archive Extraction Bypass
CVSS 9.8
CVE-2021-24370 CRITICAL
Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and Remote Code Execution
CVSS 9.8
CVE-2021-32243 HIGH
FOGProject 1.5.9 - Authenticated Remote Code Execution via File Upload
CVSS 8.8
CVE-2021-34551 HIGH
PHPMailer < 6.5.0 - Remote Code Execution via Untrusted lang_path UNC Pathname
CVSS 8.1
CVE-2021-27489 HIGH
ZOLL Defibrillator Dashboard <2.2 - RCE
CVSS 8.8
CVE-2021-34128 HIGH
LaikeTui 3.5.0 - Authenticated Arbitrary PHP File Upload via ZIP Archive
CVSS 8.8
CVE-2021-23394 HIGH
elFinder < 2.1.58 - Remote Code Execution via .phar File Upload
CVSS 8.1
CVE-2021-26828 HIGH KEV
ScadaBR < 0.9.1 - Authenticated Arbitrary JSP File Upload via view_edit.shtm
CVSS 8.8
CVE-2021-26473 CRITICAL
Vembu BDR Suite and OffsiteDR < 4.2.0.1 - Unauthenticated Arbitrary File Write via logFilePath Parameter
CVSS 9.8
CVE-2021-3277 HIGH
Nagios XI < 5.7.5 - Authenticated Remote Code Execution via Custom-Includes Rename Functionality
CVSS 7.2
CVE-2021-32661 MEDIUM
@backstage/plugin-techdocs < 0.9.5 - Stored Cross-Site Scripting via Object Element Injection
CVSS 6.8
CVE-2021-32660 MEDIUM
@backstage/tehdocs-common <0.6.4 - Info Disclosure
CVSS 6.8
CVE-2021-29092 HIGH
Synology Photo Station 6.8-6.8.13 - Authenticated Arbitrary File Upload and Remote Code Execution
CVSS 8.8
Details
Vulnerabilities 4,130
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits