Vendor CVEs
Dedecms
All CVEs
170 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36493 | 0.00 | — | 0.01 | Oct 22, 2021 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component media_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | |||
| CVE-2020-36494 | 0.00 | — | 0.01 | Oct 22, 2021 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component mychannel_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters. | |||
| CVE-2020-36495 | 0.00 | — | 0.01 | Oct 22, 2021 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `filename`, `mid`, `userid`, and `templet' parameters. | |||
| CVE-2020-36496 | 0.00 | — | 0.01 | Oct 22, 2021 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component sys_admin_user_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters. | |||
| CVE-2020-36497 | 0.00 | — | 0.01 | Oct 22, 2021 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component makehtml_homepage.php via the `filename`, `mid`, `userid`, and `templet' parameters. | |||
| CVE-2020-18114 | 0.00 | — | 0.02 | Aug 27, 2021 | An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format. | |||
| CVE-2020-18917 | 0.00 | — | 0.01 | Aug 24, 2021 | The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control. | |||
| CVE-2020-22198 | 0.00 | — | 0.02 | Jun 16, 2021 | SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php. | |||
| CVE-2020-16632 | 0.00 | — | 0.01 | May 14, 2021 | A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter. | |||
| CVE-2021-32073 | 0.00 | — | 0.01 | May 14, 2021 | DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution. | |||
| CVE-2019-10014 | 0.00 | — | 0.01 | Mar 24, 2019 | In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated. | |||
| CVE-2019-8362 | 0.00 | — | 0.01 | Feb 16, 2019 | DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg,… | |||
| CVE-2019-6289 | 0.00 | — | 0.02 | Jan 15, 2019 | uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename. | |||
| CVE-2018-19061 | 0.00 | — | 0.02 | Nov 7, 2018 | DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | |||
| CVE-2018-18782 | 0.00 | — | 0.01 | Oct 29, 2018 | Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. | |||
| CVE-2018-18781 | 0.00 | — | 0.01 | Oct 29, 2018 | DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. | |||
| CVE-2018-18578 | 0.00 | — | 0.01 | Oct 22, 2018 | DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. | |||
| CVE-2018-18579 | 0.00 | — | 0.01 | Oct 22, 2018 | Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. | |||
| CVE-2010-1097 | 0.00 | — | 0.01 | Mar 24, 2010 | include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to… | |||
| CVE-2009-2270 | 0.00 | — | 0.02 | Jul 1, 2009 | Unrestricted file upload vulnerability in member/uploads_edit.php in dedecms 5.3 allows remote attackers to execute arbitrary code by uploading a file with a double extension in the filename, then accessing this file via unspecified vectors, as demonstrated by a .jpg.php… |
- CVE-2020-36493Oct 22, 2021risk 0.00cvss —epss 0.01
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component media_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
- CVE-2020-36494Oct 22, 2021risk 0.00cvss —epss 0.01
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component mychannel_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
- CVE-2020-36495Oct 22, 2021risk 0.00cvss —epss 0.01
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `filename`, `mid`, `userid`, and `templet' parameters.
- CVE-2020-36496Oct 22, 2021risk 0.00cvss —epss 0.01
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component sys_admin_user_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
- CVE-2020-36497Oct 22, 2021risk 0.00cvss —epss 0.01
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component makehtml_homepage.php via the `filename`, `mid`, `userid`, and `templet' parameters.
- CVE-2020-18114Aug 27, 2021risk 0.00cvss —epss 0.02
An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.
- CVE-2020-18917Aug 24, 2021risk 0.00cvss —epss 0.01
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
- CVE-2020-22198Jun 16, 2021risk 0.00cvss —epss 0.02
SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php.
- CVE-2020-16632May 14, 2021risk 0.00cvss —epss 0.01
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
- CVE-2021-32073May 14, 2021risk 0.00cvss —epss 0.01
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
- CVE-2019-10014Mar 24, 2019risk 0.00cvss —epss 0.01
In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.
- CVE-2019-8362Feb 16, 2019risk 0.00cvss —epss 0.01
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg,…
- CVE-2019-6289Jan 15, 2019risk 0.00cvss —epss 0.02
uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename.
- CVE-2018-19061Nov 7, 2018risk 0.00cvss —epss 0.02
DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.
- CVE-2018-18782Oct 29, 2018risk 0.00cvss —epss 0.01
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter.
- CVE-2018-18781Oct 29, 2018risk 0.00cvss —epss 0.01
DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter.
- CVE-2018-18578Oct 22, 2018risk 0.00cvss —epss 0.01
DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter.
- CVE-2018-18579Oct 22, 2018risk 0.00cvss —epss 0.01
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter.
- CVE-2010-1097Mar 24, 2010risk 0.00cvss —epss 0.01
include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to…
- CVE-2009-2270Jul 1, 2009risk 0.00cvss —epss 0.02
Unrestricted file upload vulnerability in member/uploads_edit.php in dedecms 5.3 allows remote attackers to execute arbitrary code by uploading a file with a double extension in the filename, then accessing this file via unspecified vectors, as demonstrated by a .jpg.php…
Page 4 of 4