Filtered by vendor Dedecms
Subscriptions
Filtered by product Dedecms
Subscriptions
Total
123 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-20129 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value. | ||||
| CVE-2018-19061 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | ||||
| CVE-2018-18782 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. | ||||
| CVE-2018-18781 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. | ||||
| CVE-2018-18608 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. | ||||
| CVE-2018-18579 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. | ||||
| CVE-2018-18578 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. | ||||
| CVE-2018-16786 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. | ||||
| CVE-2018-16785 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell | ||||
| CVE-2018-16784 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. | ||||
| CVE-2018-12046 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file. | ||||
| CVE-2018-12045 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file. | ||||
| CVE-2018-10375 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code. | ||||
| CVE-2017-17731 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | ||||
| CVE-2017-17730 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | ||||
| CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | ||||
| CVE-2015-4553 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 8.8 High |
| A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. | ||||
| CVE-2011-5200 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | ||||
| CVE-2010-1097 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php. | ||||
| CVE-2009-3806 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. | ||||