Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Dedecms Subscribe
Total 61 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-23044 1 Dedecms 1 Dedecms 2021-10-27 3.5 LOW 5.4 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
CVE-2020-36494 1 Dedecms 1 Dedecms 2021-10-26 4.3 MEDIUM 6.1 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component mychannel_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
CVE-2020-36493 1 Dedecms 1 Dedecms 2021-10-26 3.5 LOW 5.4 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component media_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
CVE-2020-36492 1 Dedecms 1 Dedecms 2021-10-26 3.5 LOW 5.4 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component select_media.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
CVE-2020-36496 1 Dedecms 1 Dedecms 2021-10-26 4.3 MEDIUM 6.1 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component sys_admin_user_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
CVE-2020-36497 1 Dedecms 1 Dedecms 2021-10-26 4.3 MEDIUM 6.1 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component makehtml_homepage.php via the `filename`, `mid`, `userid`, and `templet' parameters.
CVE-2020-36495 1 Dedecms 1 Dedecms 2021-10-26 4.3 MEDIUM 6.1 MEDIUM
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `filename`, `mid`, `userid`, and `templet' parameters.
CVE-2020-18114 1 Dedecms 1 Dedecms 2021-09-01 7.5 HIGH 9.8 CRITICAL
An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.
CVE-2020-18917 1 Dedecms 1 Dedecms 2021-08-30 6.8 MEDIUM 8.8 HIGH
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
CVE-2019-6289 1 Dedecms 1 Dedecms 2021-07-21 6.5 MEDIUM 8.8 HIGH
uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename.
CVE-2020-22198 1 Dedecms 1 Dedecms 2021-06-21 7.5 HIGH 9.8 CRITICAL
SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php.
CVE-2021-32073 1 Dedecms 1 Dedecms 2021-05-21 6.8 MEDIUM 8.8 HIGH
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2020-16632 1 Dedecms 1 Dedecms 2021-05-21 3.5 LOW 5.4 MEDIUM
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2019-10014 1 Dedecms 1 Dedecms 2020-08-24 4.0 MEDIUM 6.5 MEDIUM
In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.
CVE-2015-4553 1 Dedecms 1 Dedecms 2020-01-15 6.5 MEDIUM 8.8 HIGH
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
CVE-2019-8933 1 Dedecms 1 Dedecms 2019-02-20 6.5 MEDIUM 8.8 HIGH
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php.
CVE-2019-8362 1 Dedecms 1 Dedecms 2019-02-20 5.0 MEDIUM 7.5 HIGH
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content).
CVE-2018-20129 1 Dedecms 1 Dedecms 2019-02-05 6.5 MEDIUM 8.8 HIGH
An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value.
CVE-2018-16785 1 Dedecms 1 Dedecms 2019-01-28 6.5 MEDIUM 8.8 HIGH
XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell
CVE-2018-19061 1 Dedecms 1 Dedecms 2018-12-10 7.5 HIGH 9.8 CRITICAL
DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.