CVE-2021-41919

8.8 HIGH

webTareas version 2.4 and earlier allows an authenticated user to arbitrarily upload potentially dangerous files without restrictions

Published: 2021-10-08 · Last updated: 2026-06-17

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434

Affected products

Vendor	Product
webtareas_project	webtareas

Description

webTareas version 2.4 and earlier allows an authenticated user to arbitrarily upload potentially dangerous files without restrictions. This is working by adding or replacing a personal profile picture. The affected endpoint is /includes/upload.php on the HTTP POST data. This allows an attacker to exploit the platform by injecting code or malware and, under certain conditions, to execute code on remote user browsers.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41919
[Exploit reference]https://n4nj0.github.io/advisories/webtareas-multiple-vulnerabilities-i/
[Exploit reference]https://n4nj0.github.io/advisories/webtareas-multiple-vulnerabilities-i/

Related CVEs

Same vendor

CVE-2021-41920 — webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /i... (7.5 HIGH)
CVE-2021-41918 — webTareas version 2.4 and earlier allows an authenticated user to inject arbitrary web script or HTML due to incorrect sanitization of us... (5.4 MEDIUM)
CVE-2021-41917 — webTareas version 2.4 and earlier allows an authenticated user to store arbitrary web script or HTML by creating or editing a client name... (5.4 MEDIUM)
CVE-2021-41916 — A Cross-Site Request Forgery (CSRF) vulnerability in webTareas version 2.4 and earlier allows a remote attacker to create a new administr... (8.8 HIGH)

Same CWE

CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
CVE-2026-39527 — Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)