CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Dedecms : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-32073 352 Exec Code CSRF 2021-05-15 2021-05-21
6.8
None Remote Medium Not required Partial Partial Partial
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
2 CVE-2020-36497 79 XSS 2021-10-22 2021-10-26
4.3
None Remote Medium Not required None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component makehtml_homepage.php via the `filename`, `mid`, `userid`, and `templet' parameters.
3 CVE-2020-36496 79 XSS 2021-10-22 2021-10-26
4.3
None Remote Medium Not required None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component sys_admin_user_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
4 CVE-2020-36495 79 XSS 2021-10-22 2021-10-26
4.3
None Remote Medium Not required None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `filename`, `mid`, `userid`, and `templet' parameters.
5 CVE-2020-36494 79 XSS 2021-10-22 2021-10-26
4.3
None Remote Medium Not required None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component mychannel_edit.php via the `filename`, `mid`, `userid`, and `templet' parameters.
6 CVE-2020-36493 79 XSS 2021-10-22 2021-10-26
3.5
None Remote Medium ??? None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component media_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
7 CVE-2020-36492 79 XSS 2021-10-22 2021-10-26
3.5
None Remote Medium ??? None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component select_media.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
8 CVE-2020-36491 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tags_main.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
9 CVE-2020-36490 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_manage_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
10 CVE-2020-27533 79 XSS 2020-10-22 2020-11-02
3.5
None Remote Medium ??? None Partial None
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
11 CVE-2020-23046 79 XSS 2021-10-22 2021-10-28
4.3
None Remote Medium Not required None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet' parameters.
12 CVE-2020-23044 79 XSS 2021-10-22 2021-10-28
3.5
None Remote Medium ??? None Partial None
DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters.
13 CVE-2020-22198 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php.
14 CVE-2020-18917 352 Exec Code 2021-08-24 2021-08-30
6.8
None Remote Medium Not required Partial Partial Partial
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
15 CVE-2020-18114 434 2021-08-27 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
An arbitrary file upload vulnerability in the /uploads/dede component of DedeCMS V5.7SP2 allows attackers to upload a webshell in HTM format.
16 CVE-2020-16632 79 Exec Code XSS 2021-05-15 2021-05-21
3.5
None Remote Medium ??? None Partial None
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
17 CVE-2019-10014 863 2019-03-24 2020-08-24
4.0
None Remote Low ??? None Partial None
In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.
18 CVE-2019-8933 434 2019-02-19 2019-02-20
6.5
None Remote Low ??? Partial Partial Partial
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php.
19 CVE-2019-8362 434 2019-02-16 2019-02-20
5.0
None Remote Low Not required None Partial None
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content).
20 CVE-2019-6289 94 Exec Code 2019-01-15 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename.
21 CVE-2018-20129 94 Exec Code 2018-12-13 2019-02-05
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value.
22 CVE-2018-19061 89 Sql 2018-11-07 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.
23 CVE-2018-18782 79 XSS 2018-10-29 2018-12-03
4.3
None Remote Medium Not required None Partial None
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter.
24 CVE-2018-18781 79 XSS 2018-10-29 2018-12-03
4.3
None Remote Medium Not required None Partial None
DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter.
25 CVE-2018-18608 79 XSS 2018-10-23 2018-12-04
4.3
None Remote Medium Not required None Partial None
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.
26 CVE-2018-18579 79 XSS 2018-10-22 2018-12-03
4.3
None Remote Medium Not required None Partial None
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter.
27 CVE-2018-18578 79 XSS 2018-10-22 2018-12-03
4.3
None Remote Medium Not required None Partial None
DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter.
28 CVE-2018-16786 79 XSS 2018-09-21 2018-11-08
4.3
None Remote Medium Not required None Partial None
DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.
29 CVE-2018-16785 91 2018-09-19 2019-01-28
6.5
None Remote Low ??? Partial Partial Partial
XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell
30 CVE-2018-16784 91 Exec Code 2018-09-21 2018-11-08
6.5
None Remote Low ??? Partial Partial Partial
DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.
31 CVE-2018-12046 20 2018-06-08 2018-07-27
5.0
None Remote Low Not required None Partial None
DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file.
32 CVE-2018-12045 434 2018-06-08 2018-07-27
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file.
33 CVE-2018-10375 434 Exec Code 2018-04-25 2018-06-13
7.5
None Remote Low Not required Partial Partial Partial
A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code.
34 CVE-2018-9175 94 Exec Code 2018-04-02 2018-05-02
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php.
35 CVE-2018-9174 94 Exec Code 2018-04-02 2018-05-02
7.5
None Remote Low Not required Partial Partial Partial
sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control.
36 CVE-2018-9134 352 Exec Code CSRF 2018-03-30 2018-04-23
6.8
None Remote Medium Not required Partial Partial Partial
file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.
37 CVE-2018-7700 352 Exec Code CSRF 2018-03-27 2018-04-19
6.8
None Remote Medium Not required Partial Partial Partial
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
38 CVE-2018-6910 200 +Info 2018-02-13 2018-03-12
5.0
None Remote Low Not required Partial None None
DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.
39 CVE-2017-17731 89 Sql 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
40 CVE-2017-17730 89 Sql 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.
41 CVE-2017-17727 434 Exec Code 2017-12-18 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php.
42 CVE-2015-4553 434 2020-01-06 2020-01-15
6.5
None Remote Low ??? Partial Partial Partial
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
43 CVE-2011-5200 89 1 Exec Code Sql 2012-09-23 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php.
44 CVE-2010-1097 287 Bypass 2010-03-24 2010-12-14
6.8
None Remote Medium Not required Partial Partial Partial
include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php.
45 CVE-2009-3806 89 Exec Code Sql 2009-10-27 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter.
46 CVE-2009-2270 94 Exec Code 2009-07-01 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in member/uploads_edit.php in dedecms 5.3 allows remote attackers to execute arbitrary code by uploading a file with a double extension in the filename, then accessing this file via unspecified vectors, as demonstrated by a .jpg.php filename.
Total number of vulnerabilities : 46   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.