CWE-434

Medium likelihood

Unrestricted Upload of File with Dangerous Type

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

4,119 vulnerabilities with CWE-434
CVE-2024-26503 CRITICAL
Openeclass < 3.15 - Unrestricted File Upload
CVSS 9.1
CVE-2024-28425 HIGH
greykite 1.0.0 - Remote Code Execution via Arbitrary File Upload in load_obj Function
CVSS 7.5
CVE-2024-28423 CRITICAL
Airflow-Diagrams 2.1.0 - Remote Code Execution via YML File Upload
CVSS 9.8
CVE-2024-28418 MEDIUM
Webedition CMS 9.2.2.0 - Unrestricted File Upload via we_cmd.php
CVSS 6.5
CVE-2024-0800 HIGH
Arcserve Unified Data Protection <9.2-8.1 - Path Traversal
CVSS 8.8
CVE-2024-1311 HIGH
Brizy < 2.4.41 - Authenticated Arbitrary File Upload via storeImages Function
CVSS 8.8
CVE-2024-2406 MEDIUM
Gacjie Server <1.0 - Unrestricted Upload
CVSS 5.4
CVE-2024-1527 CRITICAL
CMS Made Simple 2.2.14 - Authenticated Unrestricted File Upload and Remote Code Execution
CVSS 9.8
CVE-2024-2394 MEDIUM
SourceCodester Employee Management System 1.0 - Unrestricted File Upload via Avatar Parameter in Admin Add-Admin
CVSS 4.7
CVE-2024-25994 MEDIUM
CHARX SEC-3000/3050/3100/3150 Firmware < 1.5.1 - Unauthenticated Arbitrary File Upload
CVSS 5.3
CVE-2024-2268 MEDIUM
keerti1924 Online-Book-Store-Website 1.0 - Unrestricted Upload
CVSS 4.7
CVE-2024-1986 HIGH
Booster Elite for WooCommerce <7.1.7 - RCE
CVSS 8.8
CVE-2024-27733 HIGH
Byzro Network Smart s42 Management Platform S42 - Unrestricted File Upload via useratte/userattestation.php
CVSS 7.7
CVE-2024-2148 MEDIUM
Online Mobile Store Management System 1.0 - Unrestricted File Upload via Users.php img Argument
CVSS 6.3
CVE-2024-27747 CRITICAL
Petrol Pump Mangement Software <1.0 - RCE
CVSS 9.8
CVE-2024-2059 MEDIUM
SourceCodester Petrol Pump Management Software 1.0 - Unauthenticated Arbitrary File Upload
CVSS 4.7
CVE-2024-2058 MEDIUM
SourceCodester Petrol Pump Management Software 1.0 - Unauthenticated Arbitrary File Upload via Product Photo Parameter
CVSS 4.7
CVE-2024-0864 CRITICAL
Laragon 7.0.0 - Remote Code Execution via Simple Ajax Uploader file_upload.php
CVSS 9.8
CVE-2024-1468 HIGH
Avada < 7.11.4 - Authenticated Arbitrary File Upload via ajax_import_options()
CVSS 8.8
CVE-2024-25832 HIGH
F-logic DataCube3 v1.0 - Authenticated Unrestricted File Upload via Filename Extension Manipulation
CVSS 8.8
CVE-2024-24146 MEDIUM
libming v0.4.8 - Denial of Service via Memory Leak in parseSWF_DEFINEBUTTON
CVSS 6.5
CVE-2024-23946 MEDIUM
Apache OFBiz < 18.12.12 - Path Traversal and Arbitrary File Inclusion
CVSS 5.3
CVE-2024-25869 HIGH
CodeAstro Membership Management System 1.0 - Unauthenticated Remote Code Execution via settings.php File Upload
CVSS 8.8
CVE-2024-1932 MEDIUM
freescout-helpdesk/freescout - File Injection
CVSS 4.8
CVE-2024-25846 CRITICAL
simpleimportproduct <= 6.7.0 - Unauthenticated Unrestricted Upload of File with Dangerous Type
CVSS 9.1
Details
Vulnerabilities 4,119
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits