ColdFusion versions Update 2 and earlier, Update 9 and earlier, and Update 17 and earlier have a file upload restriction bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CWE-434
CVE-2019-7669
Prima Systems FlexAir, Versions 2.3.38 and prior. Improper validation of file extensions when uploading files could allow a remote authenticated attacker to upload and execute malicious applications within the application’s web root with root privileges.
CVE-2019-7684
inxedu through 2018-12-24 has a vulnerability that can lead to the upload of a malicious JSP file. The vulnerable code location is com.inxedu.os.common.controller.VideoUploadController#gok4 (com/inxedu/os/common/controller/VideoUploadController.java). The attacker uses the /video/uploadvideo fileType parameter to change the list of acceptable extensions from jpg,gif,png,jpeg to jpg,gif,png,jsp,jpeg.
CVE-2019-7721
lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters.
CVE-2019-7257
Linear eMerge E3-Series devices allow Unrestricted File Upload.
CVE-2019-7268
Linear eMerge 50P/5000P devices allow Unauthenticated File Upload.