Vulnerabilities > Dotclear

DATE CVE VULNERABILITY TITLE RISK
2018-09-02 CVE-2018-16358 Cross-Site Scripting vulnerability in Dotclear
A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml.
network
dotclear CWE-79
3.5
2018-01-14 CVE-2018-5690 Cross-Site Scripting vulnerability in Dotclear 2.12.1
Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit number).
network
dotclear CWE-79
3.5
2018-01-14 CVE-2018-5689 Cross-Site Scripting vulnerability in Dotclear 2.12.1
Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email.
network
dotclear CWE-79
3.5
2017-03-05 CVE-2017-6446 Cross-Site Scripting vulnerability in Dotclear 2.11.2
XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and admin/users.php with the sortby and order parameters.
network
dotclear CWE-79
4.3
2017-02-09 CVE-2015-8832 Improper Access Control vulnerability in Dotclear
Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.
network
low complexity
dotclear CWE-284
6.5
2017-02-09 CVE-2015-8831 Cross-Site Scripting vulnerability in Dotclear
Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotclear before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the author name in a comment.
network
dotclear CWE-79
4.3
2017-01-04 CVE-2016-7903 Permissions, Privileges, and Access Controls vulnerability in Dotclear
Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.
network
dotclear CWE-264
4.3
2017-01-04 CVE-2016-7902 Unrestricted Upload of File With Dangerous Type vulnerability in Dotclear
Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20.
network
low complexity
dotclear CWE-434
6.5
2016-12-29 CVE-2016-9891 Cross-Site Scripting vulnerability in Dotclear
Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title).
network
dotclear CWE-79
3.5
2016-12-09 CVE-2016-6523 Cross-Site Scripting vulnerability in Dotclear
Multiple cross-site scripting (XSS) vulnerabilities in the media manager in Dotclear before 2.10 allow remote attackers to inject arbitrary web script or HTML via the (1) q or (2) link_type parameter to admin/media.php.
network
dotclear CWE-79
4.3