Filtered by vendor Dedecms
Subscriptions
Total
93 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-46373 | 1 Dedecms | 1 Dedecms | 2024-09-19 | 8.8 High |
Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend. | ||||
CVE-2018-18578 | 1 Dedecms | 1 Dedecms | 2024-09-17 | N/A |
DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. | ||||
CVE-2010-1097 | 1 Dedecms | 1 Dedecms | 2024-09-17 | N/A |
include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php. | ||||
CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | ||||
CVE-2018-18608 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. | ||||
CVE-2019-8933 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php. | ||||
CVE-2017-17730 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | ||||
CVE-2018-19061 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | ||||
CVE-2017-17731 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | ||||
CVE-2018-18579 | 1 Dedecms | 1 Dedecms | 2024-09-16 | N/A |
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. | ||||
CVE-2024-6940 | 1 Dedecms | 1 Dedecms | 2024-09-10 | 4.7 Medium |
A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
CVE-2023-48068 | 1 Dedecms | 1 Dedecms | 2024-09-03 | 5.4 Medium |
DedeCMS v6.2 was discovered to contain a Cross-site Scripting (XSS) vulnerability via spec_add.php. | ||||
CVE-2024-42636 | 1 Dedecms | 1 Dedecms | 2024-08-23 | 7.2 High |
DedeCMS V5.7.115 has a command execution vulnerability via file_manage_view.php?fmdo=newfile&activepath. | ||||
CVE-2023-43275 | 1 Dedecms | 1 Dedecms | 2024-08-14 | 8.8 High |
Cross-Site Request Forgery (CSRF) vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalog_add.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form. | ||||
CVE-2009-3806 | 1 Dedecms | 1 Dedecms | 2024-08-07 | N/A |
SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. | ||||
CVE-2009-2270 | 1 Dedecms | 1 Dedecms | 2024-08-07 | N/A |
Unrestricted file upload vulnerability in member/uploads_edit.php in dedecms 5.3 allows remote attackers to execute arbitrary code by uploading a file with a double extension in the filename, then accessing this file via unspecified vectors, as demonstrated by a .jpg.php filename. | ||||
CVE-2011-5200 | 1 Dedecms | 1 Dedecms | 2024-08-07 | N/A |
Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | ||||
CVE-2015-4553 | 1 Dedecms | 1 Dedecms | 2024-08-06 | 8.8 High |
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. | ||||
CVE-2018-20129 | 1 Dedecms | 1 Dedecms | 2024-08-05 | N/A |
An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value. | ||||
CVE-2018-18782 | 1 Dedecms | 1 Dedecms | 2024-08-05 | N/A |
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. |