Vulnerabilities > Incomplete Blacklist

DATE CVE VULNERABILITY TITLE RISK
2018-01-29 CVE-2018-6383 Incomplete Blacklist vulnerability in Monstra
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
network
low complexity
monstra CWE-184
8.8
2017-08-07 CVE-2015-5946 Incomplete Blacklist vulnerability in Sugarcrm 6.5.22
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
local
low complexity
sugarcrm CWE-184
7.8
2017-02-17 CVE-2016-6189 Incomplete Blacklist vulnerability in Alinto Sogo
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.
network
low complexity
alinto CWE-184
4.3