CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,077 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 36 of 82
- CVE-2023-24530HIGHCVSS 8.4EG 9.12023-02-14
SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can pe…
- CVE-2023-24610HIGHCVSS 8.8EG 8.82023-02-01
NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed. This may allow attackers to steal Protected Health Information because the product…
- CVE-2023-24646CRITICALCVSS 9.8EG 9.82023-02-13
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2023-24720CRITICALCVSS 9.8EG 9.82023-04-05
An arbitrary file upload vulnerability in readium-js v0.32.0 allows attackers to execute arbitrary code via uploading a crafted EPUB file.
- CVE-2023-24834MEDIUMCVSS 6.5EG 6.52023-03-27
WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within UR…
- CVE-2023-25132CRITICALCVSS 9.1EG 9.12023-04-24
Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/…
- CVE-2023-2523HIGHCVSS 7.3EG 9.02023-05-04
A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan le…
- CVE-2023-25365HIGHCVSS 7.8EG 7.82024-02-08
Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3
- CVE-2023-25402HIGHCVSS 7.5EG 7.52023-03-03
CleverStupidDog yf-exam 1.8.0 is vulnerable to File Upload. There is no restriction on the suffix of the uploaded file, resulting in any file upload.
- CVE-2023-25444CRITICALCVSS 9.1EG 9.12024-05-17
Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Using Malicious Files.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a throu…
- CVE-2023-25654CRITICALCVSS 9.8EG 9.82023-03-23
baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch.
- CVE-2023-25655CRITICALCVSS 9.8EG 9.82023-03-23
baserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the management system of baserCMS. Version 4.7.5 contains a patch.
- CVE-2023-25828HIGHCVSS 7.2EG 7.22023-03-27
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the u…
- CVE-2023-25909CRITICALCVSS 9.8EG 9.82023-03-27
HGiga OAKlouds file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary command or dis…
- CVE-2023-25921HIGHCVSS 8.5EG 8.52024-02-29
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 247620.
- CVE-2023-25922MEDIUMCVSS 4.3EG 4.32024-02-28
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 247621.
- CVE-2023-25970CRITICALCVSS 9.8EG 10.02023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0.
- CVE-2023-26098HIGHCVSS 8.2EG 8.22023-04-25
An issue was discovered in the Open Document feature in Telindus Apsal 3.14.2022.235 b. An attacker may upload a crafted file to execute arbitrary code.
- CVE-2023-26262HIGHCVSS 7.2EG 8.82023-03-14
An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.
- CVE-2023-2648MEDIUMCVSS 6.3EG 9.02023-05-11
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It …
- CVE-2023-26578HIGHCVSS 8.8EG 8.82023-10-25
Arbitrary file upload to web root in the IDAttend’s IDWeb application 3.1.013 allows authenticated attackers to upload dangerous files to web root such as ASP or ASPX, gaining command execution on the affected server.
- CVE-2023-26686CRITICALCVSS 9.8EG 9.82024-09-25
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
- CVE-2023-26690HIGHCVSS 8.8EG 8.82024-09-25
File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File Manager/Editor component in the vendor or admin menu.
- CVE-2023-26762HIGHCVSS 8.8EG 8.82023-02-27
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an arbitrary file upload vulnerability.
- CVE-2023-26775HIGHCVSS 7.8EG 7.82023-04-04
File Upload vulnerability found in Monitorr v.1.7.6 allows a remote attacker t oexecute arbitrary code via a crafted file upload to the assets/php/upload.php endpoint.
- CVE-2023-26830HIGHCVSS 7.2EG 7.22023-03-31
An unrestricted file upload vulnerability in the administrative portal branding component of Gladinet CentreStack before 13.5.9808 allows authenticated attackers to execute arbitrary code by uploading malicious files to the server.
- CVE-2023-26852HIGHCVSS 7.2EG 7.22023-04-12
An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.
- CVE-2023-26857HIGHCVSS 7.2EG 7.22023-04-05
An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2023-26949CRITICALCVSS 9.8EG 9.82023-03-06
An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2023-26968CRITICALCVSS 9.8EG 9.82023-03-29
In Atrocore 1.5.25, the Create Import Feed option with glyphicon-glyphicon-paperclip function is vulnerable to Unauthenticated File upload.
- CVE-2023-27033CRITICALCVSS 9.8EG 9.82023-04-07
Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent().
- CVE-2023-27083HIGHCVSS 7.2EG 7.22023-06-22
An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.
- CVE-2023-2712CRITICALCVSS 9.8EG 10.02023-05-20
Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Command Injection, Using Malicious Files, Upload a Web Shell to a Web Server. This issue …
- CVE-2023-27164MEDIUMCVSS 4.8EG 4.82023-03-10
An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file.
- CVE-2023-27168CRITICALCVSS 9.8EG 9.82024-01-19
An arbitrary file upload vulnerability in Xpand IT Write-back Manager v2.3.1 allows attackers to execute arbitrary code via a crafted jsp file.
- CVE-2023-27178CRITICALCVSS 9.8EG 9.82023-04-10
An arbitrary file upload vulnerability in the upload function of GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a crafted file.
- CVE-2023-27179HIGHCVSS 7.5EG 9.02023-04-11
GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.
- CVE-2023-27235HIGHCVSS 7.2EG 7.22023-03-15
An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file.
- CVE-2023-27246HIGHCVSS 8.8EG 8.82023-03-28
An arbitrary file upload vulnerability in the Virtual Disk of MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted .htaccess file.
- CVE-2023-2738MEDIUMCVSS 6.3EG 6.32023-05-16
A vulnerability classified as critical has been found in Tongda OA 11.10. This affects the function actionGetdata of the file GatewayController.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remot…
- CVE-2023-27397CRITICALCVSS 9.8EG 9.82023-05-23
Unrestricted upload of file with dangerous type exists in MicroEngine Mailform version 1.1.0 to 1.1.8. If the product's file upload function and server save option are enabled, a remote attacker may save an arbitrary file on the server and…
- CVE-2023-27440HIGHCVSS 7.2EG 7.22024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in OnTheGoSystems Types.This issue affects Types: from n/a through 3.4.17.
- CVE-2023-27602CRITICALCVSS 9.8EG 9.82023-04-10
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we s…
- CVE-2023-27753HIGHCVSS 8.0EG 8.02026-05-12
An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-27755HIGHCVSS 8.8EG 8.82023-04-17
go-bbs v1 was discovered to contain an arbitrary file download vulnerability via the component /api/v1/download.
- CVE-2023-27757CRITICALCVSS 9.8EG 9.82023-03-15
An arbitrary file upload vulnerability in the /admin/user/uploadImg component of PerfreeBlog v3.1.1 allows attackers to execute arbitrary code via a crafted JPG file.
- CVE-2023-2776MEDIUMCVSS 6.3EG 6.32023-05-17
A vulnerability was found in code-projects Simple Photo Gallery 1.0. It has been declared as critical. This vulnerability affects unknown code. The manipulation leads to unrestricted upload. The attack can be initiated remotely. VDB-229282…
- CVE-2023-27881HIGHCVSS 8.0EG 8.02023-06-07
A user could use the “Upload Resource” functionality to upload files to any location on the disk.
- CVE-2023-28128HIGHCVSS 7.2EG 9.02023-05-09
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
- CVE-2023-28170CRITICALCVSS 9.1EG 9.12023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import.This issue affects Theme Demo Import: from n/a through 1.1.1.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →