CWE-616 9 個 CVE MITRE 定義 ↗

CWE-616:Incomplete Identification of Uploaded File Variables (PHP)

概覽

CWE-616(Incomplete Identification of Uploaded File Variables (PHP))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.

適用平台

類型 名稱 普遍性 OS / CPE
language PHP Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2025-67084 2026-01-15 File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Exec…
CVE-2026-22789 2026-01-12 WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that…
CVE-2025-59402 2025-09-25 Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 accepts the default Thundercomm TurboX 6490 Firehose loader in EDL/QDL mode. This enables attackers with physical access to flash a…
CVE-2025-52130 2025-08-25 File upload vulnerability in WebErpMesv2 1.17 in the app/Http/Controllers/FactoryController.php controller. This flaw allows an authenticated attacker to upload arbitrary files, including PHP scripts,…
CVE-2024-52305 2024-11-13 UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account wit…
CVE-2024-31601 2024-04-26 An issue in Beijing Panabit Network Software Co., Ltd Panalog big data analysis platform v. 20240323 and before allows attackers to execute arbitrary code via the exportpdf.php component.
CVE-2024-28520 2024-04-04 File Upload vulnerability in Byzoro Networks Smart multi-service security gateway intelligent management platform version S210, allows an attacker to obtain sensitive information via the uploadfile.ph…
CVE-2024-29858 2024-03-21 In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
CVE-2023-38947 2023-08-03 An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.

內容提交

名稱
PLOVER
日期
2007-05-07
版本
Draft 6

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14 CWE Content Team 1.0.1 updated Description, Other_Notes, Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Other_Notes
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Observed_Examples, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2020-02-24 CWE Content Team 4.0 updated Relationships
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
cvelogic Threat Intelligence