CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,072 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 14 of 82
- CVE-2020-21325HIGHCVSS 8.8EG 8.82023-06-20
An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file.
- CVE-2020-21359CRITICALCVSS 9.8EG 9.82021-08-11
An arbitrary file upload vulnerability in the Template Upload function of Maccms10 allows attackers bypass the suffix whitelist verification to execute arbitrary code via adding a character to the end of the uploaded file's name.
- CVE-2020-21452CRITICALCVSS 9.8EG 9.82021-04-29
An issue was discovered in uniview ISC2500-S. This is an upload vulnerability where an attacker can upload malicious code via /Interface/DevManage/EC.php?cmd=upload
- CVE-2020-21474CRITICALCVSS 9.8EG 9.82023-06-20
File Upload vulnerability in NucleusCMS v.3.71 allows a remote attacker to execute arbitrary code via the /nucleus/plugins/skinfiles/?dir=rsd parameter.
- CVE-2020-21481HIGHCVSS 7.2EG 7.22021-09-15
An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file.
- CVE-2020-21483HIGHCVSS 7.2EG 7.22021-09-15
An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file.
- CVE-2020-21489CRITICALCVSS 9.8EG 9.82023-06-20
File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component.
- CVE-2020-21516CRITICALCVSS 9.8EG 9.82022-09-06
There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code.
- CVE-2020-21564HIGHCVSS 8.8EG 8.82020-09-30
An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files.
- CVE-2020-21585CRITICALCVSS 9.8EG 9.82021-04-02
Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module.
- CVE-2020-21786CRITICALCVSS 9.8EG 9.82021-06-24
In IBOS 4.5.4 Open, Arbitrary File Inclusion causes getshell via /system/modules/dashboard/controllers/CronController.php.
- CVE-2020-21787CRITICALCVSS 9.8EG 9.82021-06-24
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
- CVE-2020-21861HIGHCVSS 8.8EG 8.82023-07-06
File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload.
- CVE-2020-21976HIGHCVSS 8.8EG 8.82021-08-11
An arbitrary file upload in the <input type="file" name="user_image"> component of NewsOne CMS v1.1.0 allows attackers to webshell and execute arbitrary commands.
- CVE-2020-22151CRITICALCVSS 9.8EG 9.82023-07-03
Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the assests parameter of the upload function.
- CVE-2020-22153CRITICALCVSS 9.8EG 9.82023-07-03
File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function.
- CVE-2020-22159HIGHCVSS 8.8EG 8.82023-07-18
EVERTZ devices 3080IPX exe-guest-v1.2-r26125, 7801FC 1.3 Build 27, and 7890IXG V494 are vulnerable to Arbitrary File Upload, allowing an authenticated attacker to upload a webshell or overwrite any critical system files.
- CVE-2020-22249CRITICALCVSS 9.8EG 9.82021-07-06
Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be c…
- CVE-2020-22539HIGHCVSS 7.2EG 7.22024-04-15
An arbitrary file upload vulnerability in the Add Category function of Codoforum v4.9 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2020-22643HIGHCVSS 7.2EG 7.22021-01-26
Feehi CMS 2.1.0 is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malicious files.
- CVE-2020-22721HIGHCVSS 7.8EG 7.82020-08-14
A File Upload Vulnerability in PNotes - Andrey Gruber PNotes.NET v3.8.1.2 allows a local attacker to execute arbitrary code via the Miscellaneous " External Programs by uploading the malicious .exe file to the external program.
- CVE-2020-22722HIGHCVSS 7.8EG 7.82020-08-14
Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renami…
- CVE-2020-22755HIGHCVSS 8.8EG 8.82023-05-08
File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.
- CVE-2020-23043HIGHCVSS 8.8EG 8.82021-10-22
Tran Tu Air Sender v1.0.2 was discovered to contain an arbitrary file upload vulnerability in the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted file.
- CVE-2020-23083CRITICALCVSS 9.8EG 9.82021-05-03
Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload".
- CVE-2020-23138CRITICALCVSS 9.8EG 9.82020-11-09
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type wit…
- CVE-2020-23520HIGHCVSS 7.2EG 7.22020-12-09
imcat 5.2 allows an authenticated file upload and consequently remote code execution via the picture functionality.
- CVE-2020-23564HIGHCVSS 7.2EG 7.22023-08-05
File Upload vulnerability in SEMCMS 3.9 allows remote attackers to run arbitrary code via SEMCMS_Upfile.php.
- CVE-2020-23572HIGHCVSS 8.8EG 8.82021-11-08
BEESCMS v4.0 was discovered to contain an arbitrary file upload vulnerability via the component /admin/upload.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.
- CVE-2020-23574MEDIUMCVSS 6.5EG 6.52020-08-19
When uploading a file in Sysax Multi Server 6.90, an authenticated user can modify the filename="" parameter in the uploadfile_name1.htm form to a length of 368 or more bytes. This will create a buffer overflow condition, causing the appli…
- CVE-2020-23591CRITICALCVSS 9.8EG 9.82022-11-23
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm…
- CVE-2020-23765HIGHCVSS 7.2EG 7.22021-05-21
A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able to gain Administrator rights they will be able to use unsafe plugins to upload a backup file and con…
- CVE-2020-23790CRITICALCVSS 9.8EG 9.82021-05-12
An Arbitrary File Upload vulnerability was discovered in the Golo Laravel theme v 1.1.5.
- CVE-2020-23828CRITICALCVSS 9.8EG 9.82020-09-15
A File Upload vulnerability in SourceCodester Online Course Registration v1.0 allows remote attackers to achieve Remote Code Execution (RCE) on the hosting webserver by uploading a crafted PHP web-shell that bypasses the image upload filte…
- CVE-2020-23829HIGHCVSS 8.8EG 8.82020-09-01
interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously…
- CVE-2020-23972HIGHCVSS 7.5EG 7.52020-08-27
In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by …
- CVE-2020-24186CRITICALCVSS 10.0EG 10.02020-08-24
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
- CVE-2020-24195CRITICALCVSS 9.1EG 9.12020-09-09
An Arbitrary File Upload in the Upload Image component in Sourcecodester Online Bike Rental v1.0 allows authenticated administrator to conduct remote code execution.
- CVE-2020-24196HIGHCVSS 7.2EG 7.22020-08-27
An Arbitrary File Upload in Vehicle Image Upload in Online Bike Rental v1.0 allows authenticated admin to conduct remote code execution.
- CVE-2020-24199CRITICALCVSS 9.8EG 9.82020-09-09
Arbitrary File Upload in the Vehicle Image Upload component in Project Worlds Car Rental Management System v1.0 allows attackers to conduct remote code execution.
- CVE-2020-24202CRITICALCVSS 9.8EG 9.82020-08-27
File Upload component in Projects World House Rental v1.0 suffers from an arbitrary file upload vulnerability with regular users, which allows remote attackers to conduct code execution.
- CVE-2020-24203CRITICALCVSS 9.8EG 9.82020-08-27
Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution.
- CVE-2020-24407CRITICALCVSS 9.1EG 9.12020-11-09
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions t…
- CVE-2020-24549HIGHCVSS 8.8EG 8.82021-01-26
openMAINT before 1.1-2.4.2 allows remote authenticated users to run arbitrary JSP code on the underlying web server.
- CVE-2020-24948HIGHCVSS 7.2EG 7.22020-09-03
The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution.
- CVE-2020-24986HIGHCVSS 7.2EG 7.22020-09-04
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.
- CVE-2020-25010CRITICALCVSS 9.8EG 9.82020-12-17
An arbitrary code execution vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to upload a malicious script file by constructing a POST type request…
- CVE-2020-25037HIGHCVSS 8.2EG 8.22021-02-02
UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command.
- CVE-2020-25042HIGHCVSS 7.2EG 7.22020-09-03
An arbitrary file upload issue exists in Mara CMS 7.5. In order to exploit this, an attacker must have a valid authenticated (admin/manager) session and make a codebase/dir.php?type=filenew request to upload PHP code to codebase/handler.ph…
- CVE-2020-25106HIGHCVSS 7.8EG 7.82020-12-22
Nanosystems SupRemo 4.1.3.2348 allows attackers to obtain LocalSystem access because File Manager can be used to rename Supremo.exe and then upload a Trojan horse with the Supremo.exe filename.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →