Dedecms: >> Dedecms >> 5.7 Security Vulnerabilities
An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value.
CVSS Score
8.8
EPSS Score
0.696
Published
2018-12-13
DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-11-07
DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-29
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-29
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.
CVSS Score
6.1
EPSS Score
0.079
Published
2018-10-23
DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-22
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-22
DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.
CVSS Score
7.2
EPSS Score
0.029
Published
2018-09-21
DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-21
XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell
CVSS Score
8.8
EPSS Score
0.007
Published
2018-09-19