CVE-2023-2928 – DedeCMS article_allowurl_edit.php code injection
https://notcve.org/view.php?id=CVE-2023-2928
A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. • https://github.com/CN016/DedeCMS-getshell-CVE-2023-2928- https://github.com/testwordpress123/cve/blob/main/dedecms.md https://vuldb.com/?ctiid.230083 https://vuldb.com/?id.230083 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-31757
https://notcve.org/view.php?id=CVE-2023-31757
DedeCMS up to v5.7.108 is vulnerable to XSS in sys_info.php via parameters 'edit___cfg_powerby' and 'edit___cfg_beian' • https://github.com/sleepyvv/vul_report/blob/main/DedeCMS/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-2424 – DedeCMS config.php UpDateMemberModCache unrestricted upload
https://notcve.org/view.php?id=CVE-2023-2424
A vulnerability was found in DedeCMS 5.7.106 and classified as critical. Affected by this issue is the function UpDateMemberModCache of the file uploads/dede/config.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/xieqiangweb/cve/blob/master/dede/dedecms%20rce.md https://vuldb.com/?ctiid.227750 https://vuldb.com/?id.227750 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-30380
https://notcve.org/view.php?id=CVE-2023-30380
An issue in the component /dialog/select_media.php of DedeCMS v5.7.107 allows attackers to execute a directory traversal. • https://github.com/Howard512966/DedeCMS-v5.7.107-Directory-Traversal • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-27733
https://notcve.org/view.php?id=CVE-2023-27733
DedeCMS v5.7.106 was discovered to contain a SQL injection vulnerability via the component /dede/sys_sql_query.php. • https://github.com/Ephemeral1y/Vulnerability/blob/master/DedeCMS/5.7.98/DedeCMS-v5.7.98-RCE.md https://sha999-crypto.github.io/2023/02/28/Dedecms%20background%20SQL%20injection%20vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •