Dedecms

dedecms

Vendor: Dedecms • 165 CVEs

CVEs (165)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-19061 1Dedecms 1Dedecms Nov 21, 2024 Nov 7, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.
CVE-2018-18782 1Dedecms 1Dedecms Nov 21, 2024 Oct 29, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter.
CVE-2018-18781 1Dedecms 1Dedecms Nov 21, 2024 Oct 29, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter.
CVE-2018-18608 1Dedecms 1Dedecms Nov 21, 2024 Oct 23, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_IN...Show more DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.Show less
CVE-2018-18579 1Dedecms 1Dedecms Nov 21, 2024 Oct 22, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter.
CVE-2018-18578 1Dedecms 1Dedecms Nov 21, 2024 Oct 22, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter.
CVE-2018-16786 1Dedecms 1Dedecms Nov 21, 2024 Sep 21, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.
CVE-2018-16784 1Dedecms 1Dedecms Nov 21, 2024 Sep 21, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.
CVE-2018-16785 1Dedecms 1Dedecms Nov 21, 2024 Sep 19, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell
CVE-2018-12046 1Dedecms 1Dedecms Nov 21, 2024 Jun 8, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file.
CVE-2018-12045 1Dedecms 1Dedecms Nov 21, 2024 Jun 8, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file.
CVE-2018-10375 1Dedecms 1Dedecms Nov 21, 2024 Apr 25, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitp...Show more A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code.Show less
CVE-2018-9175 1Dedecms 1Dedecms Nov 21, 2024 Apr 2, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php.
CVE-2018-9174 1Dedecms 1Dedecms Nov 21, 2024 Apr 2, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control.
CVE-2018-9134 1Dedecms 1Dedecms Nov 21, 2024 Mar 30, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the...Show more file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.Show less
CVE-2018-7700 1Dedecms 1Dedecms Nov 21, 2024 Mar 27, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
CVE-2018-6910 1Dedecms 1Dedecms Nov 21, 2024 Feb 13, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.
CVE-2018-6881 2Dedecms Phome 2Dedecms Empirecms Nov 21, 2024 Feb 12, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.
CVE-2017-17731 1Dedecms 1Dedecms May 13, 2026 Dec 18, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
CVE-2017-17730 1Dedecms 1Dedecms May 13, 2026 Dec 18, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.

Previous 1...5 6 789 Next