Vulnerabilities
Vulnerable Software
Dedecms:  >> Dedecms  Security Vulnerabilities
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
CVSS Score
8.8
EPSS Score
0.922
Published
2018-03-27
DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.
CVSS Score
7.5
EPSS Score
0.914
Published
2018-02-13
EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.
CVSS Score
5.3
EPSS Score
0.005
Published
2018-02-12
DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php.
CVSS Score
8.8
EPSS Score
0.007
Published
2017-12-18
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-12-18
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
CVSS Score
9.8
EPSS Score
0.849
Published
2017-12-18
Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php.
CVSS Score
7.5
EPSS Score
0.003
Published
2012-09-23
include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php.
CVSS Score
6.8
EPSS Score
0.001
Published
2010-03-24
SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter.
CVSS Score
7.5
EPSS Score
0.001
Published
2009-10-27
Unrestricted file upload vulnerability in member/uploads_edit.php in dedecms 5.3 allows remote attackers to execute arbitrary code by uploading a file with a double extension in the filename, then accessing this file via unspecified vectors, as demonstrated by a .jpg.php filename.
CVSS Score
6.8
EPSS Score
0.011
Published
2009-07-01


Contact Us

Shodan ® - All rights reserved