Atlassian Jira Service Desk version 4.9.1 suffers from a cross site scripting vulnerability via a file upload.
dfcde77b165540e992acf77b90f6fd749ada31c0790bd7b52362a5e4ecd40c70
This Metasploit module exploits an unauthenticated arbitrary file upload in FortiLogger via an insecure POST request. It has been tested on versions prior to 5.2.0 in Windows 10 Enterprise.
a85e9f5cba1f6749154173a1eef48254ac7c27865cfb1fbb2408dc5b6a948e6b
Whitepaper that discusses XXE exploitation via file uploads.
7c6849a41692d2abfdae193b26658ffc1ed539af111174b955d5ba020dc87949
Dolibarr ERP/CRM version 11.0.4 authenticated file upload restrictions bypass exploit that achieves remote code execution.
f58dbb30223078b60e2c591a9796c22c1a7783555278cad42361cd544f71b096
This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.
379b0cbe47bd964e0aa4ad293ae73ca2ada00daefc19072ca7c7c1d184c798cd
This Metasploit module exploits an unauthenticated arbitrary file upload via an insecure POST request in SonLogger. It has been tested on version less than 6.4.1 in Windows 10 Enterprise.
545f476ef86fb917ecc86e9949be038a9cf9a65e922e977dc23171d24166bcd6
This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.
ee1f708da8c9cdb296637b11bf11d0e1c52209633c21780eca035b11e77bfd1d
This Metasploit module exploits an unauthenticated arbitrary file upload via an insecure POST request to Fortilogger. It has been tested on version 4.4.2.2 in Windows 10 Enterprise.
971cb73286c116af5ac4963ebdfc76a9c041ad0cc83639cbcc0c74e784971471
VMware vCenter Server version 7.0 unauthenticated arbitrary file upload exploit.
799c1c46954c9683e557c8e1a417d133206fb6622b8109abd3fd919820dc39a2
TestLink version 1.9.20 suffers from a remote shell upload vulnerability.
c77386d58d62722f1ea02fb39203f5ae3734576744e803a7331e2cf8529a9d98
Discord Probot suffers from an arbitrary file upload vulnerability.
91a3b062622a1a49aeae94a3e01e1c22467ffdf7c04f301294c72296ed5dcee0
E-Learning System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass and also suffers from remote code execution via file upload functionality.
8c130003474db5d0b8f04cf3029fdf7dd4afcf6fdc725ec96e203439631bca6c
EyesOfNetwork version 5.3 suffers from a remote code execution vulnerability that leverages file upload. Original discovery of remote code execution in this version is attributed to Clement Billac in February of 2020.
7eec6a20abcb4aef174b7fdab8cded3fd454e04fdef2b5f8981bc124b49ed2fe
This Metasploit module exploits an arbitrary file upload in the WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable server.
187052df5b77471af6ad467ad2dc057df0f9c9a641dd2c9d116e4f60896dcc30
Incom CMS version 2.0 suffers from an unauthenticated arbitrary file upload vulnerability.
7d47cee58dadce751b03d36c10a70967bd55201df82f6d5897da887583fbef3b
Rock RMS suffers from arbitrary file upload, account takeover, and personal information disclosure vulnerabilities. Various versions are affected.
8fc0428a6783de1ab9966a207dcdde3ec9f01dd3fbbf4d51cb139ea9c834aa0a
This Metasploit module exploits an arbitrary file upload vulnerability in FlexDotnetCMS versions 1.5.8 and prior in order to execute arbitrary commands with elevated privileges.
47b81343e2c7ec2c740cde41827515920f9357ae6d5bec55de8ab24845c398f4
CMS Made Simple version 2.2.15 suffers from a persistent cross site scripting vulnerability via an authenticated SVG file upload.
3a70bea3ff018f2a3e3bc5cb413b9c3da9210a7c1832fd27589baa34aaef8e17
Laravel Administrator version 4 suffers from an unrestricted file upload vulnerability.
74c5803bba9337c9b7130818986ce55f061af3504d643ca424705c78c6549aea
Moodle version 3.8 suffers from an arbitrary file upload vulnerability.
a9cbe04e1ae5b0954fb4c068ffb620caf8091229eed4b6b20f3d1a233d82572c
WordPress Fancy Product Designer for WooCommerce plugin versions 4.5.1 and below suffer from an unauthenticated arbitrary file upload vulnerability.
844ca1d83aa4d76c3672b1a8922c9d8024975940f595d849d240dc34d1d9305e
This Metasploit module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands. The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to /admin/file-manager/fileupload. The server will rename this file to a random string. The module will therefore attempt to change the filename back to the original name via an HTTP POST request to /admin/file-manager/rename. For the php target, the payload is embedded in the uploaded file and the module attempts to execute the payload via an HTTP GET request to /storage/file_name.
e997f50b11c87b368375253d60b4bf43687e4ac08d4e9534ce9af91d93c1cefe
Ubuntu Security Notice 4590-1 - It was discovered that Collabtive did not properly validate avatar image file uploads. An authenticated user could exploit this with a crafted file to cause Collabtive to execute arbitrary code.
3a96d705d065d717b14b800adcee1d42f347a14621b97f7aa64d09701a9145c4
ReQuest Serious Play F3 Media Server version 7.0.3 suffers from an unauthenticated remote code execution vulnerability. Abusing the hidden ReQuest Internal Utilities page (/tools) from the services provided, an attacker can exploit the Quick File Uploader (/tools/upload.html) page and upload PHP executable files that results in remote code execution as the web server user.
fa62960bd924cddf506938c32939980f302594aab73a39733f1fa032b8d06b7f
Sage DPW versions 2020_06_000 and 2020_06_001 suffer from cross site scripting and unauthenticated malicious file upload vulnerabilities.
f2de58f82000bc1abcc7ceb06fb7e03de637fb816729b8a026fe3a6815942177