ReportizFlow
Filtered by vendor Dedecms
Subscriptions
Filtered by product Dedecms
Subscriptions
Total
101 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-27533 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 5.4 Medium |
| A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages. | ||||
| CVE-2020-23046 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.1 Medium |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet' parameters. | ||||
| CVE-2020-23044 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 5.4 Medium |
| DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | ||||
| CVE-2020-22198 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 9.8 Critical |
| SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php. | ||||
| CVE-2020-18917 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 8.8 High |
| The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control. | ||||
| CVE-2020-18114 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 9.8 Critical |
| An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format. | ||||
| CVE-2020-16632 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 5.4 Medium |
| A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter. | ||||
| CVE-2019-8933 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php. | ||||
| CVE-2019-8362 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content). | ||||
| CVE-2019-6289 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename. | ||||
| CVE-2019-10014 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated. | ||||
| CVE-2018-9175 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php. | ||||
| CVE-2018-9174 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control. | ||||
| CVE-2018-9134 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters. | ||||
| CVE-2018-7700 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code. | ||||
| CVE-2018-6910 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 7.5 High |
| DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php. | ||||
| CVE-2018-6881 | 2 Dedecms, Phome | 2 Dedecms, Empirecms | 2024-11-21 | 5.3 Medium |
| EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php. | ||||
| CVE-2018-20129 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value. | ||||
| CVE-2018-19061 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | ||||
| CVE-2018-18782 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. | ||||