Vulnerabilities > Dedecms > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-06 | CVE-2015-4553 | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6/5.7 A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. | 8.8 |
| 2019-02-19 | CVE-2019-8933 | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7 In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php. | 8.8 |
| 2019-02-16 | CVE-2019-8362 | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content). | 7.5 |
| 2019-01-15 | CVE-2019-6289 | Use of Incorrectly-Resolved Name or Reference vulnerability in Dedecms 5.7 uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename. | 8.8 |
| 2018-12-13 | CVE-2018-20129 | Code Injection vulnerability in Dedecms 5.7 An issue was discovered in DedeCMS V5.7 SP2. | 8.8 |
| 2018-09-21 | CVE-2018-16784 | XML Injection (aka Blind XPath Injection) vulnerability in Dedecms 5.7 DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. | 7.2 |
| 2018-09-19 | CVE-2018-16785 | XML Injection (aka Blind XPath Injection) vulnerability in Dedecms 5.7 XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell | 8.8 |
| 2018-06-08 | CVE-2018-12046 | Improper Input Validation vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file. | 7.5 |
| 2018-03-30 | CVE-2018-9134 | Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7 file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. | 8.8 |
| 2018-03-27 | CVE-2018-7700 | Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7 DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code. | 8.8 |