CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,077 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 39 of 82
- CVE-2023-3486HIGHCVSS 8.2EG 8.22023-07-25
An authentication bypass exists in PaperCut NG versions 22.0.12 and prior that could allow a remote, unauthenticated attacker to upload arbitrary files to the PaperCut NG host’s file storage. This could exhaust system resources and preve…
- CVE-2023-3491HIGHCVSS 8.8EG 8.02023-06-30
Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3.
- CVE-2023-34944CRITICALCVSS 9.8EG 9.82023-06-13
An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.
- CVE-2023-35018LOWCVSS 3.3EG 3.32023-10-16
IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation. IBM X-Force ID: 259382.
- CVE-2023-3503MEDIUMCVSS 6.3EG 6.32023-07-04
A vulnerability has been found in SourceCodester Shopping Website 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file insert-product.php. The manipulation leads to unrestricted upload. The…
- CVE-2023-3504MEDIUMCVSS 6.3EG 6.32023-07-04
A vulnerability was found in SmartWeb Infotech Job Board 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /settings/account of the component My Profile Page. The manipulation of the argument …
- CVE-2023-35189CRITICALCVSS 10.0EG 10.02023-07-18
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote code execution vulnerability that could allow an unauthenticated user to upload a malicious payload and execute it.
- CVE-2023-35808HIGHCVSS 8.8EG 8.82023-06-17
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed…
- CVE-2023-36097CRITICALCVSS 9.8EG 9.82023-06-22
funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install.
- CVE-2023-36212HIGHCVSS 8.8EG 8.82023-08-03
File Upload vulnerability in Total CMS v.1.7.4 allows a remote attacker to execute arbitrary code via a crafted PHP file to the edit page function.
- CVE-2023-3623MEDIUMCVSS 6.3EG 6.32023-07-11
A vulnerability was found in Suncreate Mountain Flood Disaster Prevention Monitoring and Early Warning System up to 20230704. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Duty/AjaxHandle/…
- CVE-2023-3625MEDIUMCVSS 6.3EG 6.32023-07-11
A vulnerability classified as critical was found in Suncreate Mountain Flood Disaster Prevention Monitoring and Early Warning System up to 20230706. This vulnerability affects unknown code of the file /Duty/AjaxHandle/Write/UploadFile.ashx…
- CVE-2023-3626MEDIUMCVSS 6.3EG 6.32023-07-11
A vulnerability, which was classified as critical, has been found in Suncreate Mountain Flood Disaster Prevention Monitoring and Early Warning System up to 20230706. This issue affects some unknown processing of the file /Duty/AjaxHandle/U…
- CVE-2023-36298HIGHCVSS 8.8EG 8.82023-08-03
DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE).
- CVE-2023-36299HIGHCVSS 8.8EG 8.82023-08-03
A File Upload vulnerability in typecho v.1.2.1 allows a remote attacker to execute arbitrary code via the upload and options-general parameters in index.php.
- CVE-2023-36319HIGHCVSS 8.8EG 8.82023-09-20
File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.
- CVE-2023-36630HIGHCVSS 8.8EG 8.82023-06-25
In CloudPanel before 2.3.1, insecure file upload leads to privilege escalation and authentication bypass.
- CVE-2023-36809HIGHCVSS 8.1EG 8.12023-07-05
Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in or…
- CVE-2023-3692HIGHCVSS 7.2EG 7.22023-07-16
Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.
- CVE-2023-36969HIGHCVSS 8.8EG 8.82023-07-06
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
- CVE-2023-37152CRITICALCVSS 9.8EG 9.82023-07-10
Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Note: This has been disputed as not a valid vulnerability.
- CVE-2023-37208HIGHCVSS 7.8EG 7.82023-07-05
When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.
- CVE-2023-3722HIGHCVSS 8.6EG 8.62023-07-19
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services v…
- CVE-2023-37289CRITICALCVSS 9.8EG 9.82023-07-20
It is identified a vulnerability of Unrestricted Upload of File with Dangerous Type in the file uploading function in InfoDoc Document On-line Submission and Approval System, which allows an unauthenticated remote attacker can exploit thi…
- CVE-2023-37502CRITICALCVSS 9.0EG 9.02023-10-18
HCL Compass is vulnerable to lack of file upload security. An attacker could upload files containing active code that can be executed by the server or by a user's web browser.
- CVE-2023-37629CRITICALCVSS 9.8EG 9.82023-07-12
Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to "add-pig.php."
- CVE-2023-37656CRITICALCVSS 9.8EG 9.82023-07-11
WebsiteGuide v0.2 is vulnerable to Remote Command Execution (RCE) via image upload.
- CVE-2023-37677CRITICALCVSS 9.8EG 9.82023-07-25
Pligg CMS v2.0.2 (also known as Kliqqi) was discovered to contain a remote code execution (RCE) vulnerability in the component admin_editor.php.
- CVE-2023-37839CRITICALCVSS 9.8EG 9.82023-07-13
An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.109 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-3796MEDIUMCVSS 4.3EG 4.32023-07-20
A vulnerability, which was classified as problematic, has been found in Bug Finder Foody Friend 1.0. Affected by this issue is some unknown functionality of the file /user/profile of the component Profile Picture Handler. The manipulation …
- CVE-2023-3797MEDIUMCVSS 5.5EG 5.52023-07-20
A vulnerability, which was classified as critical, was found in Gen Technology Four Mountain Torrent Disaster Prevention and Control of Monitoring and Early Warning System up to 20230712. This affects an unknown part of the file /Duty/Ajax…
- CVE-2023-3798MEDIUMCVSS 5.5EG 5.52023-07-20
A vulnerability has been found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0 and classified as critical. This vulnerability affects unknown code of the file /App_Resource/UEditor/server/upload.aspx. The manipulation of …
- CVE-2023-3800LOWCVSS 3.9EG 3.92023-07-20
A vulnerability was found in EasyAdmin8 2.0.2.2. It has been classified as problematic. Affected is an unknown function of the file /admin/index/index.html#/admin/mall.goods/index.html of the component File Upload Module. The manipulation …
- CVE-2023-3802MEDIUMCVSS 5.5EG 5.52023-07-21
A vulnerability was found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /Controller/Ajaxfileupload.ashx. The manipulati…
- CVE-2023-38029CRITICALCVSS 9.8EG 9.82023-08-28
Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files t…
- CVE-2023-3803LOWCVSS 2.6EG 2.62023-07-21
A vulnerability classified as problematic has been found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0. This affects an unknown part of the file /Service/ImageStationDataService.asmx of the component File Name Handler. …
- CVE-2023-3804MEDIUMCVSS 5.5EG 5.52023-07-21
A vulnerability classified as problematic was found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0. This vulnerability affects unknown code of the file /Service/FileHandler.ashx. The manipulation of the argument userFile…
- CVE-2023-3806MEDIUMCVSS 6.3EG 6.32023-07-21
A vulnerability, which was classified as critical, was found in SourceCodester House Rental and Property Listing System 1.0. Affected is an unknown function of the file btn_functions.php. The manipulation leads to unrestricted upload. It i…
- CVE-2023-38095HIGHCVSS 8.8EG 8.82024-05-03
NETGEAR ProSAFE Network Management System MFileUploadController Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE…
- CVE-2023-38098HIGHCVSS 8.8EG 8.82024-05-03
NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network…
- CVE-2023-38330MEDIUMCVSS 5.3EG 5.32023-08-02
OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.
- CVE-2023-3836MEDIUMCVSS 6.3EG 9.02023-07-22
A vulnerability classified as critical was found in Dahua Smart Park Management up to 20230713. This vulnerability affects unknown code of the file /emap/devicePoint_addImgIco?hasSubsystem=true. The manipulation of the argument upload lead…
- CVE-2023-38388CRITICALCVSS 9.0EG 9.02024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from n/a through 3.3.5.
- CVE-2023-38404HIGHCVSS 7.2EG 7.22023-07-17
The XPRTLD web application in Veritas InfoScale Operations Manager (VIOM) before 8.0.0.410 allows an authenticated attacker to upload all types of files to the server. An authenticated attacker can then execute the malicious file to perfor…
- CVE-2023-3852MEDIUMCVSS 4.7EG 4.72023-07-23
A vulnerability was found in OpenRapid RapidCMS up to 1.3.1. It has been declared as critical. This vulnerability affects unknown code of the file /admin/upload.php. The manipulation of the argument file leads to unrestricted upload. The a…
- CVE-2023-38836HIGHCVSS 8.8EG 9.02023-08-21
File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.
- CVE-2023-38874HIGHCVSS 8.8EG 8.82023-09-28
A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash boo…
- CVE-2023-38887HIGHCVSS 8.8EG 8.82023-09-20
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
- CVE-2023-38915CRITICALCVSS 9.8EG 9.82023-08-15
File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote attacker to execute arbtirary code via the upload type function.
- CVE-2023-38947HIGHCVSS 7.2EG 7.22023-08-03
An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →