CVSS: 8.1EPSS: %CPEs: 1EXPL: 0CVE-2023-23653 – MainWP File Uploader Extension <= 4.1 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-23653
17 Jan 2023 — The MainWP File Uploader Extension for WordPress is vulnerable to arbitrary file download. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary files from the affected site. • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4764 – Simple File Downloader <= 1.0.4 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4764
05 Jan 2023 — The Simple File Downloader WordPress plugin through 1.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The Simple File Downloader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.0.4 due to insufficient input sanitization and output e... • https://wpscan.com/vulnerability/788c6aa2-14cc-411f-95e8-5994f8c82d70 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45475
https://notcve.org/view.php?id=CVE-2022-45475
25 Nov 2022 — Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. La versión 2.4.8 de Tiny File Manager permite que un atacante remoto no autenticado acceda a los archivos internos de la aplicación. Esto es posible porque la aplicación es vulnerable a un control de acceso roto. • https://fluidattacks.com/advisories/mosey •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45476
https://notcve.org/view.php?id=CVE-2022-45476
25 Nov 2022 — Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. La versión 2.4.8 de Tiny File Manager ejecuta el código de los archivos cargados por los usuarios de la aplicación, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicación es vulnerable a la carga de archivos no segura. • https://fluidattacks.com/advisories/mosey • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23044
https://notcve.org/view.php?id=CVE-2022-23044
25 Nov 2022 — Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. La versión 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicación. Esto es posible porque la aplicación es vulnerable a CSRF. • https://fluidattacks.com/advisories/mosey • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-40721
https://notcve.org/view.php?id=CVE-2022-40721
03 Oct 2022 — Arbitrary file upload vulnerability in php uploader Una vulnerabilidad de carga de archivos Arbitrarios en php uploader • http://www.openwall.com/lists/oss-security/2022/10/03/3 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36313 – file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop
https://notcve.org/view.php?id=CVE-2022-36313
21 Jul 2022 — An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack. Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado podía causar que el detector de tipo de archivo quedara atrapado en un bucle inf... • https://github.com/sindresorhus/file-type/releases/tag/v16.5.4 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31527
https://notcve.org/view.php?id=CVE-2022-31527
11 Jul 2022 — The Wildog/flask-file-server repository through 2020-02-20 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio Wildog/flask-file-server versiones hasta 20-02-20 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-46824
https://notcve.org/view.php?id=CVE-2021-46824
23 Jun 2022 — Cross Site Scripting (XSS) vulnerability in sourcecodester School File Management System 1.0 via the Lastname parameter to the Update Account form in student_profile.php. Una vulnerabilidad de tipo cross Site Scripting (XSS) en sourcecodester School File Management System versión 1.0, por medio del parámetro Lastname del formulario Update Account en el archivostudent_profile.php • https://packetstormsecurity.com/files/161394/School-File-Management-System-1.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-29055
https://notcve.org/view.php?id=CVE-2021-29055
23 Jun 2022 — Cross Site Scripting (XSS) vulnerability in sourcecodester School File Management System 1.0 via the Firtstname parameter to the Update Account form in student_profile.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en sourcecodester School File Management System versión 1.0, por medio del parámetro Firtstname del formulario Update Account en el archivo student_profile.php • https://packetstormsecurity.com/files/161394/School-File-Management-System-1.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •