Vulnerabilities > Dedecms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-10-22 | CVE-2018-18579 | Cross-site Scripting vulnerability in Dedecms 5.7 Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. | 4.3 |
| 2018-10-22 | CVE-2018-18578 | Cross-site Scripting vulnerability in Dedecms 5.7 DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. | 4.3 |
| 2018-09-21 | CVE-2018-16786 | Cross-site Scripting vulnerability in Dedecms 5.7 DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. | 4.3 |
| 2018-09-21 | CVE-2018-16784 | XML Injection (aka Blind XPath Injection) vulnerability in Dedecms 5.7 DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. | 6.5 |
| 2018-09-19 | CVE-2018-16785 | XML Injection (aka Blind XPath Injection) vulnerability in Dedecms 5.7 XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell | 6.5 |
| 2018-06-08 | CVE-2018-12046 | Improper Input Validation vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file. | 5.0 |
| 2018-03-30 | CVE-2018-9134 | Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7 file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. | 6.8 |
| 2018-03-27 | CVE-2018-7700 | Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 5.7 DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code. | 6.8 |
| 2018-02-13 | CVE-2018-6910 | Exposure of Resource to Wrong Sphere vulnerability in Dedecms 5.7 DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php. | 5.0 |
| 2018-02-12 | CVE-2018-6881 | Information Exposure vulnerability in multiple products EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php. | 5.0 |