CWE-434

** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because “admins are considered trustworthy”; however, the behavior “contradicts our security policy” and is being fixed for 5.2.

Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files.

webTareas through 2.1 allows upload of the dangerous .exe and .shtml file types.

Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http:///lms/index.php?page=books.

File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain server management permission.

An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.