VYPR

Dotclear

by Dotclear

Source repositories

CVEs (32)

  • CVE-2014-3782Jun 11, 2014
    risk 0.00cvss epss 0.01

    Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some…

  • CVE-2014-3781Jun 11, 2014
    risk 0.00cvss epss 0.02

    The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.

  • CVE-2014-3783May 22, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter.

  • CVE-2014-1613May 16, 2014
    risk 0.00cvss epss 0.02

    Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.

  • CVE-2011-5083Mar 19, 2012
    risk 0.00cvss epss 0.03

    Unrestricted file upload vulnerability in inc/swf/swfupload.swf in Dotclear 2.3.1 and 2.4.2 allows remote attackers to execute arbitrary code by uploading a file with an executable PHP extension, then accessing it via a direct request to the file in an unspecified directory.

  • CVE-2011-1584Jun 8, 2011
    risk 0.00cvss epss 0.02

    The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. NOTE: some of…

  • CVE-2009-0933Mar 17, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the administrative interface in Dotclear before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-3232Jul 18, 2008
    risk 0.00cvss epss 0.05

    Unrestricted file upload vulnerability in ecrire/images.php in Dotclear 1.2.7.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images.

  • CVE-2007-3688Jul 11, 2007
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in DotClear 1.2.6 allow remote attackers to perform actions as arbitrary users via the (1) tool_url parameter to ecrire/tools.php and multiple fields on the (2) blogconf, (3) blogroll, (4) ecrire/redacteur.php, and (5)…

  • CVE-2007-3672Jul 10, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in ecrire/tools.php in DotClear 1.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified form fields on the blogroll page.

  • CVE-2006-3938Jul 31, 2006
    risk 0.00cvss epss 0.02

    DotClear allows remote attackers to obtain sensitive information via a direct request for (1) edit_cat.php, (2) index.php, (3) edit_link.php in ecrire/tools/blogroll/; (4) syslog/index.php, (5) thememng/index.php, (6) toolsmng/index.php, (7) utf8convert/index.php in…

  • CVE-2005-3957Dec 1, 2005
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the Trackback functionality in DotClear 1.2.1 has unknown impact and attack vectors.

Page 2 of 2