CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18608
https://notcve.org/view.php?id=CVE-2018-18608
23 Oct 2018 — DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante la función llamada GetPageList definida en el archivo include/datalistcp.class.php que se emplea para mostrar la lista de números de página al... • https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18578
https://notcve.org/view.php?id=CVE-2018-18578
22 Oct 2018 — DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante el parámetro type en plus/qrcode.php. • https://github.com/ky-j/dedecms/files/2500328/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18579
https://notcve.org/view.php?id=CVE-2018-18579
22 Oct 2018 — Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. Existe Cross-Site Scripting (XSS) reflejado en DedeCMS 5.7 SP2 mediante el parámetro folder en /member/pm.php. • https://github.com/ky-j/dedecms/files/2501671/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7sp2.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16784
https://notcve.org/view.php?id=CVE-2018-16784
21 Sep 2018 — DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. DedeCMS 5.7 SP2 permite la inyección de XML y una ejecución remota de código como resultado mediante una subcadena " • https://github.com/ky-j/dedecms/issues/3 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16786
https://notcve.org/view.php?id=CVE-2018-16786
21 Sep 2018 — DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante un atributo onhashchange en el parámetro msg en /plus/feedback_ajax.php. • https://github.com/ky-j/dedecms/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16785
https://notcve.org/view.php?id=CVE-2018-16785
19 Sep 2018 — XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell Existe una vulnerabilidad de inyección XML en el archivo de DedeCMS en su versión 5.7 SP2 que puede ser empleada por los atacantes para crear un archivo script para obtener un webshell. • https://github.com/ky-j/dedecms/issues/4 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-12045
https://notcve.org/view.php?id=CVE-2018-12045
08 Jun 2018 — DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file. DedeCMS hasta la versión V5.7SP2 permite la subida de archivos arbitrarios en dede/file_manage_control.php mediante una petición dede/file_manage_view.php?fmdo=upload con un parámetro upfile1, tal y como queda demostrado con la subida de un archivo .php. • https://github.com/SukaraLin/php_code_audit_project/blob/master/dedecms/dedecms%20v5.7%20sp2%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2018-12046
https://notcve.org/view.php?id=CVE-2018-12046
08 Jun 2018 — DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file. DedeCMS hasta la versión V5.7SP2 permite la escritura de archivos arbitrarios en dede/file_manage_control.php mediante una petición dede/file_manage_view.php?fmdo=newfile con los parámetros name y str, tal y como queda demostrado con la escritura a un nuevo archivo .php. • https://github.com/SukaraLin/php_code_audit_project/blob/master/dedecms/dedecms%20v5.7%20sp2%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10375
https://notcve.org/view.php?id=CVE-2018-10375
25 Apr 2018 — A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code. Existe una vulnerabilidad de subida de archivos en /include/helpers/upload.helper.php en DedeCMS V5.7 SP2, que puede ser empleada por atacantes para subir y ejecutar código PHP a... • https://github.com/ky-j/dedecms/issues/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-9174
https://notcve.org/view.php?id=CVE-2018-9174
02 Apr 2018 — sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control. sys_verifies.php en DedeCMS 5.7 permite que atacantes remotos ejecuten código PHP arbitrario mediante el parámetro de array "refiles". Esto se debe a que los contenidos de modifytmp.inc se encuentran bajo el control de un atacante. • https://xz.aliyun.com/t/2237 • CWE-94: Improper Control of Generation of Code ('Code Injection') •