CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32073
https://notcve.org/view.php?id=CVE-2021-32073
14 May 2021 — DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution. DedeCMS versión V5.7 SP2, contiene una vulnerabilidad de tipo CSRF que permite a un atacante remoto enviar una petición maliciosa al administrador web, permitiendo una ejecución de código remota • https://github.com/ky-j/dedecms/issues/12 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2020-27533 – DedeCMS v.5.8 - _keyword_ Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-27533
22 Oct 2020 — A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages. Se detectó un problema de tipo Cross Site Scripting (XSS) en la funcionalidad de búsqueda de DedeCMS versión v.5.8, que permite a usuarios maliciosos inyectar código en páginas web, y otros usuarios estarán afectados cuando se visualiza páginas web DedeCMS version 5.8 suffers from a cross site scripting vu... • https://packetstorm.news/files/id/159772 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 20%CPEs: 3EXPL: 2CVE-2015-4553 – DeDeCMS < 5.7-sp1 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2015-4553
06 Jan 2020 — A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. Existe un problema de carga de archivos en DeDeCMS versiones anteriores a 5.7-sp1, lo que permite getshell a usuarios maliciosos. • https://www.exploit-db.com/exploits/37423 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10014
https://notcve.org/view.php?id=CVE-2019-10014
24 Mar 2019 — In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated. En DedeCMS 5.7SP2, member/resetpassword.php permite que usuarios autenticados remotos restablezcan las contraseñas de usuarios arbitrarios mediante un parámetro id modificado. Esto se debe a que el parámetro key no se valida correctamente. • https://blog.csdn.net/yalecaltech/article/details/88594388 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8933
https://notcve.org/view.php?id=CVE-2019-8933
19 Feb 2019 — In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php. En DedeCMS 5.7SP2, los atacantes pueden subir un archivo .php al directorio "uploads/" (sin que se encuentren bloqueados por el firewal... • https://blog.csdn.net/qq_36093477/article/details/86681178 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2019-8362
https://notcve.org/view.php?id=CVE-2019-8362
16 Feb 2019 — DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content). DedeCMS, hasta la versión V5.7SP2, permite la subida de archivos arbitrarios en dede/album_edit.php o dede/album_add.php, tal y como que... • http://tusk1.cn/2019/02/16/dedecms%20v5.7%20sp2%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6289
https://notcve.org/view.php?id=CVE-2019-6289
15 Jan 2019 — uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename. uploads/include/dialog/select_soft.php en DedeCMS V57_UTF8_SP2 permite que los atacantes remotos ejecuten código PHP arbitrario mediante una subida con una extensión de archivo segura, renombrándolo después con una variación en mayúsculas y minúsc... • https://laolisafe.com/dedecms • CWE-178: Improper Handling of Case Sensitivity CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2018-20129
https://notcve.org/view.php?id=CVE-2018-20129
13 Dec 2018 — An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value. Se ha descubierto un problema en DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php permite que atacantes remotos suban y ejecuten código PHP arbitrario mediante una extensión doble y una ... • http://www.iwantacve.cn/index.php/archives/88 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19061
https://notcve.org/view.php?id=CVE-2018-19061
07 Nov 2018 — DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. DedeCMS 5.7 SP2 tiene una inyección SQL mediante el parámetro ids en dede\co_do.php. • https://github.com/moonf1sh/moonf1sh.github.io/blob/master/2018/10/30/DedeCMS-V57-SQL%E6%B3%A8%E5%85%A5/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18781
https://notcve.org/view.php?id=CVE-2018-18781
29 Oct 2018 — DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante los parámetros f o keyword en /member/uploads_select.php. • https://github.com/ky-j/dedecms/issues/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •