Vulnerabilities > Dedecms

DATE CVE VULNERABILITY TITLE RISK
2021-08-24 CVE-2020-18917 Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
network
low complexity
dedecms CWE-352
8.8
2021-06-16 CVE-2020-22198 SQL Injection vulnerability in Dedecms 5.7
SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php.
network
low complexity
dedecms CWE-89
critical
9.8
2021-05-15 CVE-2020-16632 Cross-site Scripting vulnerability in Dedecms 5.7
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
network
low complexity
dedecms CWE-79
5.4
2021-05-15 CVE-2021-32073 Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
network
low complexity
dedecms CWE-352
8.8
2020-10-22 CVE-2020-27533 Cross-site Scripting vulnerability in Dedecms 5.8
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
network
low complexity
dedecms CWE-79
5.4
2020-01-06 CVE-2015-4553 Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6/5.7
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
network
low complexity
dedecms CWE-434
8.8
2019-03-24 CVE-2019-10014 Incorrect Authorization vulnerability in Dedecms 5.7
In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.
network
low complexity
dedecms CWE-863
6.5
2019-02-19 CVE-2019-8933 Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php.
network
low complexity
dedecms CWE-434
8.8
2019-02-16 CVE-2019-8362 Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6/5.7
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content).
network
low complexity
dedecms CWE-434
7.5
2019-01-15 CVE-2019-6289 Use of Incorrectly-Resolved Name or Reference vulnerability in Dedecms 5.7
uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename.
network
low complexity
dedecms CWE-706
8.8