Dotclear
by Dotclear
Source repositories
CVEs (32)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-3782 | 0.00 | — | 0.01 | Jun 11, 2014 | Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some… | |||
| CVE-2014-3781 | 0.00 | — | 0.02 | Jun 11, 2014 | The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request. | |||
| CVE-2014-3783 | 0.00 | — | 0.02 | May 22, 2014 | SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter. | |||
| CVE-2014-1613 | 0.00 | — | 0.02 | May 16, 2014 | Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php. | |||
| CVE-2011-5083 | 0.00 | — | 0.03 | Mar 19, 2012 | Unrestricted file upload vulnerability in inc/swf/swfupload.swf in Dotclear 2.3.1 and 2.4.2 allows remote attackers to execute arbitrary code by uploading a file with an executable PHP extension, then accessing it via a direct request to the file in an unspecified directory. | |||
| CVE-2011-1584 | 0.00 | — | 0.02 | Jun 8, 2011 | The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. NOTE: some of… | |||
| CVE-2009-0933 | 0.00 | — | 0.01 | Mar 17, 2009 | Cross-site scripting (XSS) vulnerability in the administrative interface in Dotclear before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-3232 | 0.00 | — | 0.05 | Jul 18, 2008 | Unrestricted file upload vulnerability in ecrire/images.php in Dotclear 1.2.7.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images. | |||
| CVE-2007-3688 | 0.00 | — | 0.01 | Jul 11, 2007 | Multiple cross-site request forgery (CSRF) vulnerabilities in DotClear 1.2.6 allow remote attackers to perform actions as arbitrary users via the (1) tool_url parameter to ecrire/tools.php and multiple fields on the (2) blogconf, (3) blogroll, (4) ecrire/redacteur.php, and (5)… | |||
| CVE-2007-3672 | 0.00 | — | 0.01 | Jul 10, 2007 | Cross-site scripting (XSS) vulnerability in ecrire/tools.php in DotClear 1.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified form fields on the blogroll page. | |||
| CVE-2006-3938 | 0.00 | — | 0.02 | Jul 31, 2006 | DotClear allows remote attackers to obtain sensitive information via a direct request for (1) edit_cat.php, (2) index.php, (3) edit_link.php in ecrire/tools/blogroll/; (4) syslog/index.php, (5) thememng/index.php, (6) toolsmng/index.php, (7) utf8convert/index.php in… | |||
| CVE-2005-3957 | 0.00 | — | 0.02 | Dec 1, 2005 | Unspecified vulnerability in the Trackback functionality in DotClear 1.2.1 has unknown impact and attack vectors. |
- CVE-2014-3782Jun 11, 2014risk 0.00cvss —epss 0.01
Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some…
- CVE-2014-3781Jun 11, 2014risk 0.00cvss —epss 0.02
The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.
- CVE-2014-3783May 22, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter.
- CVE-2014-1613May 16, 2014risk 0.00cvss —epss 0.02
Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.
- CVE-2011-5083Mar 19, 2012risk 0.00cvss —epss 0.03
Unrestricted file upload vulnerability in inc/swf/swfupload.swf in Dotclear 2.3.1 and 2.4.2 allows remote attackers to execute arbitrary code by uploading a file with an executable PHP extension, then accessing it via a direct request to the file in an unspecified directory.
- CVE-2011-1584Jun 8, 2011risk 0.00cvss —epss 0.02
The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. NOTE: some of…
- CVE-2009-0933Mar 17, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the administrative interface in Dotclear before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-3232Jul 18, 2008risk 0.00cvss —epss 0.05
Unrestricted file upload vulnerability in ecrire/images.php in Dotclear 1.2.7.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images.
- CVE-2007-3688Jul 11, 2007risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in DotClear 1.2.6 allow remote attackers to perform actions as arbitrary users via the (1) tool_url parameter to ecrire/tools.php and multiple fields on the (2) blogconf, (3) blogroll, (4) ecrire/redacteur.php, and (5)…
- CVE-2007-3672Jul 10, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in ecrire/tools.php in DotClear 1.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified form fields on the blogroll page.
- CVE-2006-3938Jul 31, 2006risk 0.00cvss —epss 0.02
DotClear allows remote attackers to obtain sensitive information via a direct request for (1) edit_cat.php, (2) index.php, (3) edit_link.php in ecrire/tools/blogroll/; (4) syslog/index.php, (5) thememng/index.php, (6) toolsmng/index.php, (7) utf8convert/index.php in…
- CVE-2005-3957Dec 1, 2005risk 0.00cvss —epss 0.02
Unspecified vulnerability in the Trackback functionality in DotClear 1.2.1 has unknown impact and attack vectors.
Page 2 of 2