CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,073 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 29 of 82
- CVE-2022-30506CRITICALCVSS 9.8EG 9.82022-06-02
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
- CVE-2022-30529HIGHCVSS 7.2EG 7.22022-11-22
File upload vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to upload arbitrary files via /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/applicati…
- CVE-2022-3076HIGHCVSS 7.2EG 7.22022-09-26
The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP …
- CVE-2022-30808CRITICALCVSS 9.8EG 9.82022-06-02
elitecms 1.0.1 is vulnerable to Arbitrary code execution via admin/manage_uploads.php.
- CVE-2022-30819HIGHCVSS 8.8EG 8.82022-06-02
In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "photos_edit.php" file.
- CVE-2022-30820HIGHCVSS 8.8EG 8.82022-06-02
In Wedding Management v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "users_edit.php" file.
- CVE-2022-30821HIGHCVSS 8.8EG 8.82022-06-02
In Wedding Management System v1.0, the editing function of the "Services" module in the background management system has an arbitrary file upload vulnerability in the picture upload point of "package_edit.php" file.
- CVE-2022-30822HIGHCVSS 8.8EG 8.82022-06-02
In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "users_profile.php" file.
- CVE-2022-30860HIGHCVSS 7.2EG 7.22022-06-06
FUDforum 3.1.2 is vulnerable to Remote Code Execution through Upload File feature of File Administration System in Admin Control Panel.
- CVE-2022-30887CRITICALCVSS 9.8EG 9.82022-05-20
Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image fil…
- CVE-2022-31041HIGHCVSS 7.6EG 7.62022-06-13
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. o…
- CVE-2022-31086HIGHCVSS 8.8EG 8.82022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. T…
- CVE-2022-31134MEDIUMCVSS 4.9EG 4.92022-07-12
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this …
- CVE-2022-31161CRITICALCVSS 10.0EG 10.02022-07-15
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the…
- CVE-2022-3125HIGHCVSS 8.8EG 8.82022-10-03
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files o…
- CVE-2022-3129MEDIUMCVSS 6.3EG 9.82022-09-07
A vulnerability was found in codeprojects Online Driving School. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registration.php. The manipulation leads to unrestricted upload. The attack m…
- CVE-2022-31362HIGHCVSS 8.8EG 8.82022-06-23
Docebo Community Edition v4.0.5 and below was discovered to contain an arbitrary file upload vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- CVE-2022-31366HIGHCVSS 7.2EG 7.22022-10-20
An arbitrary file upload vulnerability in the apiImportLabs function in api_labs.php of EVE-NG 2.0.3-112 Community allows attackers to execute arbitrary code via a crafted UNL file.
- CVE-2022-31374CRITICALCVSS 9.8EG 9.82022-06-21
An arbitrary file upload vulnerability /images/background/1.php in of SolarView Compact 6.0 allows attackers to execute arbitrary code via a crafted php file.
- CVE-2022-31854HIGHCVSS 7.2EG 7.22022-07-07
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
- CVE-2022-31943CRITICALCVSS 9.8EG 9.82022-07-01
MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.
- CVE-2022-32019CRITICALCVSS 9.8EG 9.82022-06-02
Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via car-rental-management-system/admin/ajax.php?action=save_car.
- CVE-2022-32114HIGHCVSS 8.8EG 4.62022-07-13
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (…
- CVE-2022-32119HIGHCVSS 8.8EG 8.82022-07-15
Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.
- CVE-2022-32176CRITICALCVSS 9.0EG 9.02022-10-17
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploa…
- CVE-2022-32177CRITICALCVSS 9.0EG 9.02022-10-14
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uplo…
- CVE-2022-32413CRITICALCVSS 9.8EG 9.82022-07-05
An arbitrary file upload vulnerability in Dice v4.2.0 allows attackers to execute arbitrary code via a crafted file.
- CVE-2022-32433HIGHCVSS 7.2EG 7.22022-06-15
itsourcecode Advanced School Management System v1.0 is vulnerable to Arbitrary code execution via ip/school/view/all_teacher.php.
- CVE-2022-3257LOWCVSS 3.1EG 3.12022-09-23
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resultin…
- CVE-2022-32994CRITICALCVSS 9.8EG 9.82022-06-27
Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.
- CVE-2022-33166HIGHCVSS 7.2EG 7.22023-06-15
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 228586.
- CVE-2022-33859HIGHCVSS 8.1EG 9.82022-10-28
A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation’s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures…
- CVE-2022-34024HIGHCVSS 7.2EG 7.22022-07-19
Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.
- CVE-2022-34115CRITICALCVSS 9.8EG 9.82022-07-22
DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId.
- CVE-2022-34120HIGHCVSS 7.2EG 7.22022-07-27
Barangay Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the module editing function at /pages/activity/activity.php.
- CVE-2022-34128CRITICALCVSS 9.8EG 9.82023-04-16
The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.
- CVE-2022-34154HIGHCVSS 7.2EG 8.82022-08-01
Authenticated (author or higher user role) Arbitrary File Upload vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin <= 1.0.1 at WordPress.
- CVE-2022-3416HIGHCVSS 7.2EG 7.22023-01-09
The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multis…
- CVE-2022-3436MEDIUMCVSS 6.3EG 7.52022-10-09
A vulnerability classified as critical was found in SourceCodester Web-Based Student Clearance System 1.0. Affected by this vulnerability is an unknown functionality of the file edit-photo.php of the component Photo Handler. The manipulati…
- CVE-2022-34482HIGHCVSS 8.8EG 8.82022-12-22
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious …
- CVE-2022-34483HIGHCVSS 8.8EG 8.82022-12-22
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious …
- CVE-2022-34496CRITICALCVSS 9.8EG 9.82022-07-29
Hiby R3 PRO firmware v1.5 to v1.7 was discovered to contain a file upload vulnerability via the file upload feature.
- CVE-2022-34549HIGHCVSS 8.8EG 8.82022-07-27
Sims v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /uploadServlet. This vulnerability allows attackers to escalate privileges and execute arbitrary commands via a crafted file.
- CVE-2022-34578HIGHCVSS 7.2EG 7.22022-07-28
Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.
- CVE-2022-3458MEDIUMCVSS 6.3EG 9.82022-10-12
A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.php of the component Image File Handler.…
- CVE-2022-34613CRITICALCVSS 9.8EG 9.82022-08-02
Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file.
- CVE-2022-3478MEDIUMCVSS 4.3EG 4.32023-01-26
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by upload…
- CVE-2022-34965HIGHCVSS 7.2EG 7.22022-07-25
OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an arbitrary file upload vulnerability via the component /ossn/administrator/com_installer. This vulnerability allows attackers to execute arbitrary code via…
- CVE-2022-34971HIGHCVSS 8.8EG 8.82022-07-27
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-35150CRITICALCVSS 9.8EG 9.82022-08-22
Baijicms v4 was discovered to contain an arbitrary file upload vulnerability.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →