Filtered by vendor Dedecms
Subscribe
Total
165 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6881 | 2 Dedecms, Phome | 2 Dedecms, Empirecms | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php. | |||||
| CVE-2018-20129 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value. | |||||
| CVE-2018-19061 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | |||||
| CVE-2018-18782 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. | |||||
| CVE-2018-18781 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. | |||||
| CVE-2018-18608 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. | |||||
| CVE-2018-18579 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. | |||||
| CVE-2018-18578 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. | |||||
| CVE-2018-16786 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. | |||||
| CVE-2018-16785 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell | |||||
| CVE-2018-16784 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 6.5 MEDIUM | 7.2 HIGH |
| DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. | |||||
| CVE-2018-12046 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file. | |||||
| CVE-2018-12045 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file. | |||||
| CVE-2018-10375 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code. | |||||
| CVE-2017-17731 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | |||||
| CVE-2017-17730 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | |||||
| CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | |||||
| CVE-2015-4553 | 1 Dedecms | 1 Dedecms | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. | |||||
| CVE-2011-5200 | 1 Dedecms | 1 Dedecms | 2026-06-16 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | |||||
| CVE-2010-1097 | 1 Dedecms | 1 Dedecms | 2026-06-16 | 6.8 MEDIUM | N/A |
| include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php. | |||||