CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-49607 – WordPress WP Dropbox Dropins plugin <= 1.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49607
17 Oct 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in Redwan Hilali WP Dropbox Dropins allows Upload a Web Shell to a Web Server.This issue affects WP Dropbox Dropins: from n/a through 1.0. The WP Dropbox Dropins plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/RandomRobbieBF/CVE-2024-49607 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5924 – Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-5924
13 Jun 2024 — Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Dropbox Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of shared folders. When syncing files from a shared folder belonging to an untrusted account, the Dropbox desktop application ... • https://www.zerodayinitiative.com/advisories/ZDI-24-677 • CWE-693: Protection Mechanism Failure •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40004 – Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins
https://notcve.org/view.php?id=CVE-2023-40004
30 Aug 2023 — Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: fr... • https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4768 – Dropbox merou SSH Public Key public_key.py add_public_key injection
https://notcve.org/view.php?id=CVE-2022-4768
27 Dec 2022 — A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. • https://github.com/dropbox/merou/commit/d93087973afa26bc0a2d0a5eb5c0fde748bdd107 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26181
https://notcve.org/view.php?id=CVE-2022-26181
28 Feb 2022 — Dropbox Lepton v1.2.1-185-g2a08b77 was discovered to contain a heap-buffer-overflow in the function aligned_dealloc():src/lepton/bitops.cc:108. Se ha detectado que Dropbox Lepton versión v1.2.1-185-g2a08b77, contiene un desbordamiento del búfer de la pila en la función aligned_dealloc():src/lepton/bitops.cc:108. • https://drive.google.com/file/d/1bJlHozO37c5NZ1wI0NBWh0yHHyTcfaQL/view?usp=sharing • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12171
https://notcve.org/view.php?id=CVE-2019-12171
08 Jul 2019 — Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process. El archivo Dropbox.exe (y el archivo QtWebEngineProcess.exe en el Asistente Web) en la aplicación de escritorio de Dropbox versión 71.4.108.0, almacenan credenciales de texto sin cifrar en la memoria al iniciar sesión correctamente o crear una nueva cuenta. Estos no so... • https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5 • CWE-312: Cleartext Storage of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20820
https://notcve.org/view.php?id=CVE-2018-20820
23 Apr 2019 — read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows attackers to cause a denial-of-service (application runtime crash because of an integer overflow) via a crafted file. En read_ujpg en jpgcoder.cc en Dropbox Lepton versión 1.2.1 hay una vulnerabilidad que permite a los atacantes provocar una denegación de servicio (bloqueo de tiempo de ejecución de la aplicación debido a un desbordamiento de enteros) por medio de un archivo creado • https://github.com/dropbox/lepton/commit/6a5ceefac1162783fffd9506a3de39c85c725761 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20819
https://notcve.org/view.php?id=CVE-2018-20819
23 Apr 2019 — io/ZlibCompression.cc in the decompression component in Dropbox Lepton 1.2.1 allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact by crafting a jpg image file. The root cause is a missing check of header payloads that may be (incorrectly) larger than the maximum file size. IO/ZlibCompression. CC en el componente de descompresión en Dropbox LEPTON versión 1.2.1 permite a los atacantes causar una Denegación de Servicio (desb... • https://github.com/dropbox/lepton/issues/112 • CWE-787: Out-of-bounds Write •
CVSS: 3.6EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12446
https://notcve.org/view.php?id=CVE-2018-12446
20 Jun 2018 — An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred ** EN DISPUTA ** Se ha descubierto un problema en la vers... • https://gist.github.com/tanprathan/97b4c04ec6af4da62929e73214fddd1b • CWE-287: Improper Authentication •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12445
https://notcve.org/view.php?id=CVE-2018-12445
20 Jun 2018 — An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within ... • https://gist.github.com/tanprathan/0b63b1868307c732190c2ad3bd1791c7 • CWE-287: Improper Authentication •