Vulnerabilities > Dedecms > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-11-07 | CVE-2018-19061 | SQL Injection vulnerability in Dedecms 5.7 DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | 7.5 |
| 2018-06-08 | CVE-2018-12045 | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7 DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file. | 7.5 |
| 2018-04-25 | CVE-2018-10375 | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7 A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code. | 7.5 |
| 2018-04-02 | CVE-2018-9175 | Code Injection vulnerability in Dedecms 5.7 DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php. | 7.5 |
| 2018-04-02 | CVE-2018-9174 | Code Injection vulnerability in Dedecms 5.7 sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control. | 7.5 |
| 2017-12-18 | CVE-2017-17731 | SQL Injection vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | 7.5 |
| 2017-12-18 | CVE-2017-17730 | SQL Injection vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | 7.5 |
| 2012-09-23 | CVE-2011-5200 | SQL Injection vulnerability in Dedecms 5.6 Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | 7.5 |
| 2009-10-27 | CVE-2009-3806 | SQL Injection vulnerability in Dedecms 5.1 SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. | 7.5 |