Vulnerabilities > Dotclear
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2016-11-10 | CVE-2016-9268 | Unrestricted Upload of File with Dangerous Type vulnerability in Dotclear Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute arbitrary code by uploading a theme file with an zip extension, and then accessing it via unspecified vectors. | 9.0 |
2015-10-03 | CVE-2015-5651 | Cross-site Scripting vulnerability in Dotclear Cross-site scripting (XSS) vulnerability in Dotclear before 2.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-09-22 | CVE-2014-5316 | Cross-Site Scripting vulnerability in Dotclear Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page. | 4.3 |
2014-06-11 | CVE-2014-3782 | Unspecified vulnerability in Dotclear Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension. network dotclear | 6.0 |
2014-06-11 | CVE-2014-3781 | Improper Authentication vulnerability in Dotclear The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request. | 5.8 |
2014-05-22 | CVE-2014-3783 | SQL Injection vulnerability in Dotclear SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter. | 6.0 |
2014-05-16 | CVE-2014-1613 | Code Injection vulnerability in Dotclear Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php. | 7.5 |
2012-03-19 | CVE-2012-1039 | Cross-Site Scripting vulnerability in Dotclear Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) login_data parameter to admin/auth.php; (2) nb parameter to admin/blogs.php; (3) type, (4) sortby, (5) order, or (6) status parameters to admin/comments.php; or (7) page parameter to admin/plugin.php. | 4.3 |
2012-03-19 | CVE-2011-5083 | Permissions, Privileges, and Access Controls vulnerability in Dotclear 2.3.1/2.4.2 Unrestricted file upload vulnerability in inc/swf/swfupload.swf in Dotclear 2.3.1 and 2.4.2 allows remote attackers to execute arbitrary code by uploading a file with an executable PHP extension, then accessing it via a direct request to the file in an unspecified directory. | 7.5 |
2011-06-08 | CVE-2011-1584 | Permissions, Privileges, and Access Controls vulnerability in Dotclear The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. | 6.5 |