CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,077 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 37 of 82
- CVE-2023-28337HIGHCVSS 8.8EG 8.82023-03-15
When uploading a firmware image to a Netgear Nighthawk Wifi6 Router (RAX30), a hidden “forceFWUpdate” parameter may be provided to force the upgrade to complete and bypass certain validation checks. End users can use this to upload mod…
- CVE-2023-28353HIGHCVSS 8.8EG 8.82023-05-31
An issue was discovered in Faronics Insight 10.0.19045 on Windows. An unauthenticated attacker is able to upload any type of file to any location on the Teacher Console's computer, enabling a variety of different exploitation paths includi…
- CVE-2023-28409CRITICALCVSS 9.8EG 9.82023-05-23
Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file.
- CVE-2023-28480MEDIUMCVSS 6.5EG 6.52023-08-14
An issue was discovered in Tigergraph Enterprise 3.7.0. The TigerGraph platform allows users to define new User Defined Functions (UDFs) from C/C++ code. To support this functionality TigerGraph allows users to upload custom C/C++ code whi…
- CVE-2023-28482MEDIUMCVSS 6.5EG 6.52023-08-14
An issue was discovered in Tigergraph Enterprise 3.7.0. A single TigerGraph instance can host multiple graphs that are accessed by multiple different users. The TigerGraph platform does not protect the confidentiality of any data uploaded …
- CVE-2023-28652MEDIUMCVSS 6.5EG 6.52023-03-27
An authenticated malicious user could successfully upload a malicious image could lead to a denial-of-service condition.
- CVE-2023-28699HIGHCVSS 8.8EG 8.82023-06-02
Wade Graphic Design FANTSY has a vulnerability of insufficient filtering for file type in its file update function. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload a PHP file containing…
- CVE-2023-28700MEDIUMCVSS 6.8EG 6.82023-06-02
OMICARD EDM backend system’s file uploading function does not restrict upload of file with dangerous type. A local area network attacker with administrator privileges can exploit this vulnerability to upload and run arbitrary executable …
- CVE-2023-28725CRITICALCVSS 9.1EG 9.12023-03-22
General Bytes Crypto Application Server (CAS) 20230120, as distributed with General Bytes BATM devices, allows remote attackers to execute arbitrary Java code by uploading a Java application to the /batm/app/admin/standalone/deployments di…
- CVE-2023-28731CRITICALCVSS 9.8EG 9.82023-03-30
AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affect…
- CVE-2023-28814CRITICALCVSS 9.8EG 9.82025-10-17
Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software…
- CVE-2023-28833LOWCVSS 2.4EG 2.42023-03-30
Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata dir…
- CVE-2023-2888MEDIUMCVSS 4.7EG 4.72023-05-25
A vulnerability, which was classified as problematic, was found in PHPOK 6.4.100. This affects an unknown part of the file /admin.php?c=upload&f=zip&_noCache=0.1683794968. The manipulation leads to unrestricted upload. It is possible to in…
- CVE-2023-28962MEDIUMCVSS 5.3EG 5.32023-04-17
An Improper Authentication vulnerability in upload-file.php, used by the J-Web component of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to upload arbitrary files to temporary folders on the device. This issu…
- CVE-2023-29102CRITICALCVSS 9.1EG 9.12023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.
- CVE-2023-2924MEDIUMCVSS 4.7EG 4.72023-05-27
A vulnerability, which was classified as critical, has been found in Supcon SimField up to 1.80.00.00. Affected by this issue is some unknown functionality of the file /admin/reportupload.aspx. The manipulation of the argument files[] lead…
- CVE-2023-29240MEDIUMCVSS 5.4EG 5.42023-05-03
An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2023-29268CRITICALCVSS 9.8EG 9.82023-04-26
The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affec…
- CVE-2023-29375CRITICALCVSS 9.8EG 9.82023-04-10
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connect…
- CVE-2023-29384CRITICALCVSS 10.0EG 10.02023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0.
- CVE-2023-29386CRITICALCVSS 9.1EG 9.12024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in Julien Crego Manager for Icomoon.This issue affects Manager for Icomoon: from n/a through 2.0.
- CVE-2023-29621HIGHCVSS 8.8EG 8.82023-04-14
Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.
- CVE-2023-29625HIGHCVSS 8.8EG 8.82023-04-14
Employee Performance Evaluation System v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.
- CVE-2023-29627HIGHCVSS 8.8EG 8.82023-04-14
Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.
- CVE-2023-29631CRITICALCVSS 9.8EG 9.82023-06-05
PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php.
- CVE-2023-29635CRITICALCVSS 9.8EG 9.82023-05-01
File upload vulnerability in Antabot White-Jotter v0.2.2, allows remote attackers to execute malicious code via the file parameter to function coversUpload.
- CVE-2023-29657HIGHCVSS 8.8EG 8.82023-05-12
eXtplorer 2.1.15 is vulnerable to Insecure Permissions. File upload in file manager allows uploading zip file containing php pages with arbitrary code executions.
- CVE-2023-29721CRITICALCVSS 9.8EG 9.82023-05-24
SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.
- CVE-2023-29770HIGHCVSS 8.8EG 8.82023-11-28
In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.
- CVE-2023-29930HIGHCVSS 8.8EG 8.82023-05-10
An issue was found in Genesys CIC Polycom phone provisioning TFTP Server all version allows a remote attacker to execute arbitrary code via the login crednetials to the TFTP server configuration page.
- CVE-2023-30090CRITICALCVSS 9.8EG 9.82023-05-05
Semcms Shop v4.2 was discovered to contain an arbitrary file uplaod vulnerability via the component SEMCMS_Upfile.php. This vulnerability allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-30122CRITICALCVSS 9.8EG 9.82023-05-05
An arbitrary file upload vulnerability in the component /admin/ajax.php?action=save_menu of Online Food Ordering System v2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-30185CRITICALCVSS 9.8EG 9.82023-05-08
CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
- CVE-2023-30247CRITICALCVSS 9.8EG 9.82023-05-12
File Upload vulnerability found in Oretnom23 Storage Unit Rental Management System v.1.0 allows a remote attacker to execute arbitrary code via the update_settings parameter.
- CVE-2023-30264CRITICALCVSS 9.8EG 9.82023-05-04
CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via application/admin/controller/Template.php:update.
- CVE-2023-30266HIGHCVSS 8.8EG 8.82023-04-26
CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type.
- CVE-2023-3032HIGHCVSS 8.1EG 8.12023-06-02
Unrestricted Upload of File with Dangerous Type vulnerability in Mobatime web application (Documentary proof upload modules) allows a malicious user to Upload a Web Shell to a Web Server.This issue affects Mobatime web application: through…
- CVE-2023-30333CRITICALCVSS 9.8EG 9.82023-05-18
An arbitrary file upload vulnerability in the component /admin/ThemeController.java of PerfreeBlog v3.1.2 allows attackers to execute arbitrary code via a crafted file.
- CVE-2023-3049CRITICALCVSS 9.8EG 10.02023-06-13
Unrestricted Upload of File with Dangerous Type vulnerability in TMT Lockcell allows Command Injection. This issue affects Lockcell: before 15.
- CVE-2023-3061MEDIUMCVSS 6.3EG 6.32023-06-02
A vulnerability was found in code-projects Agro-School Management System 1.0 and classified as critical. This issue affects some unknown processing of the file btn_functions.php of the component Attachment Image Handler. The manipulation l…
- CVE-2023-30613HIGHCVSS 8.1EG 8.12023-04-24
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious ac…
- CVE-2023-30791HIGHCVSS 7.1EG 7.12023-07-15
Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
- CVE-2023-30962MEDIUMCVSS 6.8EG 6.82023-09-12
The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100…
- CVE-2023-30968MEDIUMCVSS 6.8EG 6.82024-03-12
One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.
- CVE-2023-31090CRITICALCVSS 9.9EG 9.92024-04-24
Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Upload a Web Shell to a Web Server.This issue affects Unlimited Elements For Elem…
- CVE-2023-31215CRITICALCVSS 9.9EG 9.92023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in AmaderCode Lab Dropshipping & Affiliation with Amazon.This issue affects Dropshipping & Affiliation with Amazon: from n/a through 2.1.2.
- CVE-2023-31231CRITICALCVSS 9.9EG 9.92023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates).This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): f…
- CVE-2023-31428MEDIUMCVSS 5.5EG 5.52023-08-02
Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under user's home directory using grep.
- CVE-2023-31505HIGHCVSS 7.2EG 7.22024-01-31
An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file.
- CVE-2023-31541CRITICALCVSS 9.8EG 9.82023-06-13
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →