CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,075 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 35 of 82
- CVE-2023-1561MEDIUMCVSS 6.3EG 9.82023-03-22
A vulnerability, which was classified as critical, was found in code-projects Simple Online Hotel Reservation System 1.0. Affected is an unknown function of the file add_room.php. The manipulation leads to unrestricted upload. It is possib…
- CVE-2023-1684MEDIUMCVSS 4.7EG 9.82023-03-29
A vulnerability was found in HadSky 7.7.16. It has been classified as problematic. This affects an unknown part of the file upload/index.php?c=app&a=superadmin:index. The manipulation leads to unrestricted upload. It is possible to initiat…
- CVE-2023-1713HIGHCVSS 8.8EG 8.82023-11-01
Insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php in Bitrix24 22.0.300 hosted on Apache HTTP Server allows remote authenticated attackers to execute arbitrary code via uploading a crafted ".htaccess" fil…
- CVE-2023-1720CRITICALCVSS 9.6EG 9.62023-11-01
Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrato…
- CVE-2023-1721CRITICALCVSS 9.1EG 9.12023-06-24
Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.
- CVE-2023-1728CRITICALCVSS 9.8EG 10.02023-04-04
Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS Command Injection, Server Side Include (SSI) Injection. This issue affects LMS: before 23.04.03.
- CVE-2023-1731HIGHCVSS 7.2EG 7.22023-04-24
In Meinbergs LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.
- CVE-2023-1734HIGHCVSS 7.3EG 9.82023-03-30
A vulnerability classified as critical has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0. Affected is an unknown function of the file admin/products/controller.php?action=add. The manipulation of the argument image l…
- CVE-2023-1739MEDIUMCVSS 6.3EG 9.82023-03-30
A vulnerability was found in SourceCodester Simple and Beautiful Shopping Cart System 1.0 and classified as critical. This issue affects some unknown processing of the file upload.php. The manipulation leads to unrestricted upload. The att…
- CVE-2023-1744MEDIUMCVSS 6.3EG 8.82023-03-30
A vulnerability classified as critical was found in IBOS 4.5.5. This vulnerability affects unknown code of the component htaccess Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has…
- CVE-2023-1797MEDIUMCVSS 6.3EG 9.82023-04-02
A vulnerability classified as critical was found in OTCMS 6.0.1. Affected by this vulnerability is an unknown functionality of the file sysCheckFile.php?mudi=sql. The manipulation leads to unrestricted upload. The attack can be launched re…
- CVE-2023-1800HIGHCVSS 7.3EG 7.32023-04-02
A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3. Affected by this issue is the function upload of the file /group1/uploa of the component File Upload Handler. The manipulation leads to p…
- CVE-2023-1826MEDIUMCVSS 6.3EG 9.82023-04-04
A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. This affects an unknown part of the file php-ocls\admin\system_info\index.php. The manipulation of the argument img leads …
- CVE-2023-1942MEDIUMCVSS 6.3EG 9.82023-04-07
A vulnerability has been found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/?page=user of the component Avatar Handler. The…
- CVE-2023-1970MEDIUMCVSS 6.3EG 7.22023-04-10
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in yuan1994 tpAdmin 1.3.12. This issue affects the function Upload of the file application\admin\controller\Upload.php. The manipulation o…
- CVE-2023-20009MEDIUMCVSS 6.5EG 7.22023-03-01
A vulnerability in the Web UI and administrative CLI of the Cisco Secure Email Gateway (ESA) and Cisco Secure Email and Web Manager (SMA) could allow an authenticated remote attacker and or authenticated local attacker to escalate their pr…
- CVE-2023-20040MEDIUMCVSS 5.5EG 5.52023-01-20
A vulnerability in the NETCONF service of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to cause a denial of service (DoS) on an affected system that is running as the root user. To exploit this vu…
- CVE-2023-20073MEDIUMCVSS 5.3EG 9.82023-04-05
A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerabilit…
- CVE-2023-20134MEDIUMCVSS 5.4EG 6.52023-04-05
Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. For more information about t…
- CVE-2023-20195MEDIUMCVSS 4.7EG 4.72023-11-01
Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device.…
- CVE-2023-20196MEDIUMCVSS 4.7EG 4.72023-11-01
Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device.…
- CVE-2023-2034HIGHCVSS 8.8EG 8.82023-04-14
Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14.
- CVE-2023-2063MEDIUMCVSS 6.3EG 6.32023-06-02
Unrestricted Upload of File with Dangerous Type vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthen…
- CVE-2023-2068CRITICALCVSS 9.8EG 9.82023-06-27
The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not includ…
- CVE-2023-2071CRITICALCVSS 9.8EG 9.82023-09-12
Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the func…
- CVE-2023-2245MEDIUMCVSS 6.3EG 6.32023-04-22
A vulnerability was found in hansunCMS 1.4.3. It has been declared as critical. This vulnerability affects unknown code of the file /ueditor/net/controller.ashx?action=catchimage. The manipulation leads to unrestricted upload. The attack c…
- CVE-2023-22450HIGHCVSS 7.2EG 7.22023-06-06
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code exec…
- CVE-2023-2246MEDIUMCVSS 6.3EG 6.32023-04-23
A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/ajax.php?action=save_settings. The manipulation of the argument img lea…
- CVE-2023-22504MEDIUMCVSS 6.5EG 4.32023-05-25
Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.
- CVE-2023-22726HIGHCVSS 8.0EG 8.02023-01-20
act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the ho…
- CVE-2023-22851HIGHCVSS 7.2EG 7.22023-01-14
Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
- CVE-2023-22890HIGHCVSS 7.5EG 7.52023-03-08
SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition.
- CVE-2023-22937MEDIUMCVSS 4.3EG 4.32023-02-14
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .…
- CVE-2023-23135HIGHCVSS 7.2EG 7.22023-02-01
An arbitrary file upload vulnerability in Ftdms v3.1.6 allows attackers to execute arbitrary code via uploading a crafted JPG file.
- CVE-2023-23328HIGHCVSS 8.8EG 8.82023-03-10
A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file.
- CVE-2023-23607CRITICALCVSS 9.8EG 9.82023-01-20
erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploa…
- CVE-2023-23656CRITICALCVSS 10.0EG 10.02024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in MainWP MainWP File Uploader Extension.This issue affects MainWP File Uploader Extension: from n/a through 4.1.
- CVE-2023-23707MEDIUMCVSS 5.9EG 5.42023-03-23
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Unrestricted Upload of File with Dangerous Type vulnerability in Awsm Innovations Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files allo…
- CVE-2023-23851MEDIUMCVSS 5.4EG 5.42023-02-14
SAP Business Planning and Consolidation - versions 200, 300, allows an attacker with business authorization to upload any files (including web pages) without the proper file format validation. If other users visit the uploaded malicious we…
- CVE-2023-23937HIGHCVSS 8.2EG 8.22023-02-03
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticate…
- CVE-2023-23970HIGHCVSS 8.8EG 9.92023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in WooRockets Corsa.This issue affects Corsa: from n/a through 1.5.
- CVE-2023-24045MEDIUMCVSS 6.5EG 6.52023-03-01
In Dataiku DSS 11.2.1, an attacker can download other Dataiku files that were uploaded to the myfiles section by specifying the target username in a download request.
- CVE-2023-2419MEDIUMCVSS 4.7EG 4.72023-04-29
A vulnerability was found in Zhong Bang CRMEB 4.6.0. It has been declared as critical. This vulnerability affects the function videoUpload of the file \crmeb\app\services\system\attachment\SystemAttachmentServices.php. The manipulation of …
- CVE-2023-24202CRITICALCVSS 9.8EG 9.82023-02-06
Raffle Draw System v1.0 was discovered to contain a local file inclusion vulnerability via the page parameter in index.php.
- CVE-2023-2424MEDIUMCVSS 6.3EG 6.32023-04-29
A vulnerability was found in DedeCMS 5.7.106 and classified as critical. Affected by this issue is the function UpDateMemberModCache of the file uploads/dede/config.php. The manipulation leads to unrestricted upload. The attack may be laun…
- CVE-2023-24249HIGHCVSS 7.2EG 7.22023-02-27
An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2023-24269HIGHCVSS 8.8EG 8.82023-04-28
An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file.
- CVE-2023-24317HIGHCVSS 8.1EG 8.12023-02-23
Judging Management System 1.0 was discovered to contain an arbitrary file upload vulnerability via the component edit_organizer.php.
- CVE-2023-24507HIGHCVSS 8.8EG 8.82023-05-08
AgilePoint NX v8.0 SU2.2 & SU2.3 – Insecure File Upload - Vulnerability allows insecure file upload, by an unspecified request.
- CVE-2023-24517MEDIUMCVSS 6.4EG 6.42023-08-22
Unrestricted Upload of File with Dangerous Type vulnerability in the Pandora FMS File Manager component, allows an attacker to make make use of this issue ( unrestricted file upload ) to execute arbitrary system commands. This issue affect…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →