CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Dedecms » Dedecms » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-8362 434 2019-02-16 2019-02-20
5.0
None Remote Low Not required None Partial None
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content).
2 CVE-2018-12046 20 2018-06-08 2018-07-27
5.0
None Remote Low Not required None Partial None
DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file.
3 CVE-2018-12045 434 2018-06-08 2018-07-27
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file.
4 CVE-2017-17731 89 Sql 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
5 CVE-2017-17730 89 Sql 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.
6 CVE-2017-17727 434 Exec Code 2017-12-18 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php.
7 CVE-2015-4553 434 2020-01-06 2020-01-15
6.5
None Remote Low ??? Partial Partial Partial
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
Total number of vulnerabilities : 7   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.