Vulnerabilities > Dedecms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-02 | CVE-2018-9175 | Code Injection vulnerability in Dedecms 5.7 DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php. | 7.5 |
| 2018-04-02 | CVE-2018-9174 | Code Injection vulnerability in Dedecms 5.7 sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control. | 7.5 |
| 2018-03-30 | CVE-2018-9134 | Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7 file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. | 6.8 |
| 2018-03-27 | CVE-2018-7700 | Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7 DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code. | 6.8 |
| 2018-02-13 | CVE-2018-6910 | Exposure of Resource to Wrong Sphere vulnerability in Dedecms 5.7 DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php. | 5.0 |
| 2018-02-12 | CVE-2018-6881 | Information Exposure vulnerability in multiple products EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php. | 5.0 |
| 2017-12-18 | CVE-2017-17731 | SQL Injection vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | 7.5 |
| 2017-12-18 | CVE-2017-17730 | SQL Injection vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | 7.5 |
| 2017-12-18 | CVE-2017-17727 | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6 DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | 6.8 |
| 2012-09-23 | CVE-2011-5200 | SQL Injection vulnerability in Dedecms 5.6 Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | 7.5 |