CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,077 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 41 of 82
- CVE-2023-42248MEDIUMCVSS 6.5EG 6.52025-01-13
An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can write arbitrary files by manipulating POST parameters of the page "common/vam_Sql.php".
- CVE-2023-4225HIGHCVSS 8.8EG 8.82023-11-28
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
- CVE-2023-4226HIGHCVSS 8.8EG 8.82023-11-28
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
- CVE-2023-42286CRITICALCVSS 9.8EG 9.82024-03-14
There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload.
- CVE-2023-42331HIGHCVSS 8.8EG 8.82023-09-20
A file upload vulnerability in EliteCMS v1.01 allows a remote attacker to execute arbitrary code via the manage_uploads.php component.
- CVE-2023-42335HIGHCVSS 8.8EG 8.82023-09-20
Unrestricted File Upload vulnerability in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to execute arbitrary code via the add attachment function in the New Expense component.
- CVE-2023-4238HIGHCVSS 7.2EG 7.22023-09-25
The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.
- CVE-2023-4243HIGHCVSS 8.8EG 8.82023-08-09
The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-l…
- CVE-2023-42462CRITICALCVSS 9.1EG 7.72023-09-27
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to d…
- CVE-2023-42472HIGHCVSS 7.3EG 7.32023-09-12
Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system into the report over the network. When…
- CVE-2023-42659HIGHCVSS 8.8EG 8.82023-11-07
In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified locati…
- CVE-2023-42802CRITICALCVSS 9.8EG 10.02023-11-02
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server …
- CVE-2023-42803HIGHCVSS 8.8EG 5.32023-10-30
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, …
- CVE-2023-4311HIGHCVSS 8.8EG 8.82023-12-18
The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode.
- CVE-2023-43226HIGHCVSS 8.8EG 8.82023-09-28
An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-43269CRITICALCVSS 9.8EG 9.82023-10-05
pigcms up to 7.0 was discovered to contain an arbitrary file upload vulnerability.
- CVE-2023-43321HIGHCVSS 8.8EG 8.82023-10-04
File Upload vulnerability in Digital China Networks DCFW-1800-SDC v.3.0 allows an authenticated attacker to execute arbitrary code via the wget function in the /sbin/cloudadmin.sh component.
- CVE-2023-43478CRITICALCVSS 9.8EG 8.82023-09-20
fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images and configuration backups, which could allow them to alter the firmware or the con…
- CVE-2023-43497HIGHCVSS 8.1EG 8.12023-09-20
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentia…
- CVE-2023-43619HIGHCVSS 7.8EG 7.82023-09-20
An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.
- CVE-2023-43696CRITICALCVSS 9.8EG 8.22023-10-09
Improper Access Control in SICK APU allows an unprivileged remote attacker to download as well as upload arbitrary files via anonymous access to the FTP server.
- CVE-2023-43740HIGHCVSS 8.8EG 9.12023-09-28
Online Book Store Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'image' parameter of admin_edit.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application…
- CVE-2023-43838HIGHCVSS 7.8EG 7.82023-10-04
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows attackers to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.
- CVE-2023-44008CRITICALCVSS 9.8EG 9.82023-10-02
File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the File Manager function.
- CVE-2023-44009CRITICALCVSS 9.8EG 9.82023-10-02
File Upload vulnerability in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via the Skin Management function.
- CVE-2023-44061HIGHCVSS 8.8EG 8.82023-10-06
File Upload vulnerability in Simple and Nice Shopping Cart Script v.1.0 allows a remote attacker to execute arbitrary code via the upload function in the edit profile component.
- CVE-2023-4409HIGHCVSS 8.8EG 6.32023-08-18
A vulnerability, which was classified as critical, has been found in NBS&HappySoftWeChat 1.1.6. Affected by this issue is some unknown functionality. The manipulation leads to unrestricted upload. The attack may be launched remotely. The e…
- CVE-2023-44763MEDIUMCVSS 5.4EG 5.42023-10-10
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be exclude…
- CVE-2023-44824HIGHCVSS 7.8EG 7.82023-10-17
An issue in Expense Management System v.1.0 allows a local attacker to execute arbitrary code via a crafted file uploaded to the sign-up.php component.
- CVE-2023-44962MEDIUMCVSS 5.3EG 5.32023-10-11
File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component.
- CVE-2023-44973CRITICALCVSS 9.8EG 9.82023-10-03
An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-44974CRITICALCVSS 9.8EG 9.82023-10-03
An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2023-45188MEDIUMCVSS 6.5EG 6.52024-06-09
IBM Engineering Lifecycle Optimization Publishing 7.0.2 and 7.03 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted request, a remote attacker coul…
- CVE-2023-45197CRITICALCVSS 9.8EG 9.82024-06-21
The file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of “..” to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Admin…
- CVE-2023-45353HIGHCVSS 8.8EG 8.82023-10-09
Atos Unify OpenScape Common Management Portal V10 before V10 R4.17.0 and V10 R5.1.0 allows an authenticated attacker to execute arbitrary code on the operating system by leveraging the Common Management Portal web interface for Authenticat…
- CVE-2023-4536HIGHCVSS 8.8EG 8.82024-01-16
The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE
- CVE-2023-45384CRITICALCVSS 9.8EG 9.82023-10-19
KnowBand supercheckout > 5.0.7 and < 6.0.7 is vulnerable to Unrestricted Upload of File with Dangerous Type. In the module "Module One Page Checkout, Social Login & Mailchimp" (supercheckout), a guest can upload files with extensions .php
- CVE-2023-45554CRITICALCVSS 9.8EG 9.82023-10-25
File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via modification of the imageext parameter from jpg, jpeg,gif, and png to jpg, jpeg,gif, png, pphphp.
- CVE-2023-45555HIGHCVSS 7.8EG 7.82023-10-25
File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via a crafted file to the down_url function in zzz.php file.
- CVE-2023-4559CRITICALCVSS 9.8EG 6.32023-08-27
A vulnerability, which was classified as critical, has been found in Bettershop LaikeTui. Affected by this issue is some unknown functionality of the file index.php?module=api&action=user&m=upload of the component POST Request Handler. The…
- CVE-2023-45595MEDIUMCVSS 5.9EG 5.92024-03-05
A CWE-434 “Unrestricted Upload of File with Dangerous Type” vulnerability in the “file_configuration” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device.…
- CVE-2023-45599MEDIUMCVSS 5.5EG 5.52024-03-05
A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the de…
- CVE-2023-45603CRITICALCVSS 9.8EG 9.02023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts – Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts – Enable Users to Submit Posts from the Front En…
- CVE-2023-45724CRITICALCVSS 9.8EG 8.22024-01-03
HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication.
- CVE-2023-45856CRITICALCVSS 9.8EG 9.82023-10-14
qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI.
- CVE-2023-45952CRITICALCVSS 9.8EG 7.82023-10-17
An arbitrary file upload vulnerability in the component ajax_link.php of lylme_spage v1.7.0 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2023-4596CRITICALCVSS 9.8EG 9.82023-08-30
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. Th…
- CVE-2023-46004HIGHCVSS 7.2EG 7.22023-10-18
Sourcecodester Best Courier Management System 1.0 is vulnerable to Arbitrary file upload in the update_user function.
- CVE-2023-46149HIGHCVSS 8.8EG 9.92023-12-20
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.
- CVE-2023-46263CRITICALCVSS 9.8EG 7.22023-12-19
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →