CVE-2020-26583

MEDIUM Year: 2020
CVSS v3 Score
6.1
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-434
View all →

Vulnerability Description

An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It allows unauthenticated users to upload JavaScript (in a file) via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include arbitrary HTML or JavaScript code into the affected web page. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.

Related Vulnerabilities

CVE-2018-4921

MEDIUM
CVSS:6.1(Medium)

Adobe Connect versions 9.7 and earlier have an exploitable unrestricted SWF file upload vulnerability. Successful exploitation could lead to information disclosure.

CWE-4342018

CVE-2023-34833

MEDIUM
CVSS:6.1(Medium)

An arbitrary file upload vulnerability in the component /api/upload.php of ThinkAdmin v6 allows attackers to execute arbitrary code via a crafted file.

CWE-4342023

CVE-2023-41564

MEDIUM
CVSS:6.1(Medium)

An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

CWE-4342023

CVE-2023-4220

MEDIUM
CVSS:6.1(Medium)

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-...

CWE-4342023

CVE-2024-1932

MEDIUM
CVSS:6.1(Medium)

Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout

CWE-4342024

CVE-2024-22550

MEDIUM
CVSS:6.1(Medium)

An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.

CWE-4342024