CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,072 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 13 of 82
- CVE-2020-14209HIGHCVSS 8.8EG 8.82020-09-02
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure acce…
- CVE-2020-14488HIGHCVSS 8.8EG 8.82020-07-29
OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system.
- CVE-2020-1469HIGHCVSS 7.5EG 7.52020-07-14
A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka 'Bond Denial of Service Vulnerability'.
- CVE-2020-15189MEDIUMCVSS 6.8EG 6.82020-09-18
SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to…
- CVE-2020-15277HIGHCVSS 7.2EG 7.22020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. T…
- CVE-2020-15488HIGHCVSS 7.5EG 7.52020-09-30
Re:Desk 2.3 allows insecure file upload.
- CVE-2020-15645HIGHCVSS 8.8EG 8.82020-08-25
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism c…
- CVE-2020-15649MEDIUMCVSS 5.5EG 5.52020-08-10
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating sys…
- CVE-2020-15667HIGHCVSS 8.8EG 8.82020-10-01
When processing a MAR update file, after the signature has been validated, an invalid name length could result in a heap overflow, leading to memory corruption and potentially arbitrary code execution. Within Firefox as released by Mozilla…
- CVE-2020-15839MEDIUMCVSS 6.5EG 6.52020-09-22
Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 and 7.2 before fix pack 6, does not restrict the size of a multipart/form-data POST action, which allows remote authenticated users to conduct denial-of-service attacks by…
- CVE-2020-17452HIGHCVSS 7.2EG 7.22020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
- CVE-2020-17462HIGHCVSS 7.8EG 7.82020-08-14
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.
- CVE-2020-18114CRITICALCVSS 9.8EG 9.82021-08-27
An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.
- CVE-2020-18166CRITICALCVSS 9.8EG 9.82021-05-14
Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".
- CVE-2020-18261CRITICALCVSS 9.8EG 9.82021-11-03
An arbitrary file upload vulnerability in the image upload function of ED01-CMS v1.0 allows attackers to execute arbitrary commands.
- CVE-2020-18432CRITICALCVSS 9.8EG 9.82023-06-30
File Upload vulnerability in SEMCMS PHP 3.7 allows remote attackers to upload arbitrary files and gain escalated privileges.
- CVE-2020-18462HIGHCVSS 7.2EG 7.22021-08-12
File Upload vulnerabilty in AikCms v2.0.0 in poster_edit.php because the background file management office does not verify the uploaded file.
- CVE-2020-18704CRITICALCVSS 9.8EG 9.82021-08-16
Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'.
- CVE-2020-18879CRITICALCVSS 9.8EG 9.82021-08-20
Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'.
- CVE-2020-18886HIGHCVSS 7.2EG 7.22021-08-20
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.
- CVE-2020-18912CRITICALCVSS 9.8EG 9.82023-08-29
An issue found in Earcms Ear App v.20181124 allows a remote attacker to execute arbitrary code via the uload/index-uplog.php.
- CVE-2020-19028HIGHCVSS 7.5EG 7.52023-06-05
*File Upload vulnerability found in Emlog EmlogCMS v.6.0.0 allows a remote attacker to gain access to sensitive information via the /admin/plugin.php function.
- CVE-2020-19113CRITICALCVSS 9.8EG 9.82021-05-06
Arbitrary File Upload vulnerability in Online Book Store v1.0 in admin_add.php, which may lead to remote code execution.
- CVE-2020-19138CRITICALCVSS 9.8EG 9.82021-09-08
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".
- CVE-2020-19228HIGHCVSS 7.2EG 7.22022-05-11
An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files.
- CVE-2020-19267CRITICALCVSS 9.8EG 9.82021-09-09
An issue in index.php/Dswjcms/Basis/resources of Dswjcms 1.6.4 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2020-19302CRITICALCVSS 9.8EG 9.82021-08-03
An arbitrary file upload vulnerability in the avatar upload function of vaeThink v1.0.1 allows attackers to open a webshell via changing uploaded file suffixes to ".php".
- CVE-2020-19303HIGHCVSS 7.8EG 7.82021-08-03
An arbitrary file upload vulnerability in /fileupload.php of hdcms 5.7 allows attackers to execute arbitrary code via a crafted file.
- CVE-2020-19364HIGHCVSS 8.8EG 8.82021-01-20
OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.
- CVE-2020-19510CRITICALCVSS 9.8EG 9.82021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
- CVE-2020-19642MEDIUMCVSS 6.2EG 6.22021-03-30
An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B. A local attacker can execute arbitrary code via editing the 'recdata.db' file to call a specially crafted GoAhead ASP-file on the SD card.
- CVE-2020-19672CRITICALCVSS 9.8EG 9.82020-09-30
Niushop B2B2C Multi-business basic version V1.11, can bypass the administrator to obtain the background upload interface, through parameter upload, bypass the getimagesize function, upload php file, getshell.
- CVE-2020-19786HIGHCVSS 8.8EG 8.82023-03-23
File upload vulnerability in CSKaza CSZ CMS v.1.2.2 fixed in v1.2.4 allows attacker to execute aritrary commands and code via crafted PHP file.
- CVE-2020-19802CRITICALCVSS 9.8EG 9.82023-04-11
File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter.
- CVE-2020-20067HIGHCVSS 8.8EG 8.82023-06-20
File upload vulnerability in ebCMS v.1.1.0 allows a remote attacker to execute arbitrary code via the upload type parameter.
- CVE-2020-20092CRITICALCVSS 9.8EG 9.82021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP co…
- CVE-2020-20210HIGHCVSS 8.8EG 8.82023-06-26
Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images.
- CVE-2020-20287CRITICALCVSS 9.8EG 9.82021-02-01
Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.
- CVE-2020-20588HIGHCVSS 8.8EG 8.82022-12-15
File upload vulnerability in function upload in action/Core.class.php in zhimengzhe iBarn 1.5 allows remote attackers to run arbitrary code via avatar upload to index.php.
- CVE-2020-20670HIGHCVSS 8.8EG 8.82021-09-13
An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file.
- CVE-2020-20672HIGHCVSS 7.8EG 7.82021-09-13
An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file.
- CVE-2020-20691MEDIUMCVSS 6.5EG 6.52021-09-27
An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.
- CVE-2020-20718CRITICALCVSS 9.8EG 9.82023-06-20
File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.
- CVE-2020-20735CRITICALCVSS 9.8EG 9.82023-06-20
File Upload vulnerability in LJCMS v.4.3.R60321 allows a remote attacker to execute arbitrary code via the ljcms/index.php parameter.
- CVE-2020-20919HIGHCVSS 7.2EG 7.22023-06-20
File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.
- CVE-2020-20969HIGHCVSS 7.2EG 7.22023-06-20
File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.
- CVE-2020-20979CRITICALCVSS 9.8EG 9.82021-08-12
An arbitrary file upload vulnerability in the move_uploaded_file() function of LJCMS v4.3 allows attackers to execute arbitrary code.
- CVE-2020-21005MEDIUMCVSS 6.5EG 6.52021-06-03
WellCMS 2.0 beta3 is vulnerable to File Upload. A user can log in to the CMS background and upload a picture. Because the upload file type is controllable, the user can modify the upload file type to get webshell.
- CVE-2020-21174CRITICALCVSS 9.8EG 9.82023-06-20
File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function.
- CVE-2020-21322CRITICALCVSS 9.8EG 9.82021-09-15
An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →