CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43275
https://notcve.org/view.php?id=CVE-2023-43275
Cross-Site Request Forgery (CSRF) vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalog_add.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form. Vulnerabilidad deCross-Site Request Forgery (CSRF) en DedeCMS v5.7 en la interfaz de administración de backend 110 a través de /catalog_add.php, permite a los atacantes crear páginas web manipuladas debido a la falta de verificación del valor del token del formulario enviado. • https://github.com/thedarknessdied/dedecms/blob/main/v5.7_110-CSRF.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48068
https://notcve.org/view.php?id=CVE-2023-48068
DedeCMS v6.2 was discovered to contain a Cross-site Scripting (XSS) vulnerability via spec_add.php. Se descubrió que DedeCMS v6.2 contiene una vulnerabilidad de Cross-site Scripting (XSS) a través de spec_add.php. • https://github.com/CP1379767017/cms/blob/dreamcms_vul/dedevCMS/dedeCMS_XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5301 – DedeCMS album_add.php AddMyAddon os command injection
https://notcve.org/view.php?id=CVE-2023-5301
A vulnerability classified as critical was found in DedeCMS 5.7.111. This vulnerability affects the function AddMyAddon of the file album_add.php. The manipulation of the argument albumUploadFiles leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Lamber-maybe/cve/blob/main/DedeCMS%20V5.7.111%20Remote%20Code%20Execution%20Vulnerability.md https://vuldb.com/?ctiid.240940 https://vuldb.com/?id.240940 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43226
https://notcve.org/view.php?id=CVE-2023-43226
An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. Una vulnerabilidad de carga de archivos arbitrarios en dede/baidunews.php en DedeCMS 5.7.111 y versiones anteriores permite a los atacantes ejecutar código arbitrario cargando un archivo PHP manipulado. • https://github.com/zzq66/cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5022 – DedeCMS select_templets_post.php absolute path traversal
https://notcve.org/view.php?id=CVE-2023-5022
A vulnerability has been found in DedeCMS up to 5.7.100 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /include/dialog/select_templets_post.php. The manipulation of the argument activepath leads to absolute path traversal. The associated identifier of this vulnerability is VDB-239863. Una vulnerabilidad ha sido encontrada en DedeCMS hasta 5.7.100 y clasificada como crítica. • https://github.com/bayuncao/DEDEcms https://vuldb.com/?ctiid.239863 https://vuldb.com/?id.239863 • CWE-36: Absolute Path Traversal •