CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18781
https://notcve.org/view.php?id=CVE-2018-18781
29 Oct 2018 — DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante los parámetros f o keyword en /member/uploads_select.php. • https://github.com/ky-j/dedecms/issues/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18782
https://notcve.org/view.php?id=CVE-2018-18782
29 Oct 2018 — Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. Existe Cross-Site Scripting (XSS) reflejado en DedeCMS 5.7 SP2 mediante el parámetro ftype en /member/myfriend.php. • https://github.com/ky-j/dedecms/issues/10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18608
https://notcve.org/view.php?id=CVE-2018-18608
23 Oct 2018 — DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante la función llamada GetPageList definida en el archivo include/datalistcp.class.php que se emplea para mostrar la lista de números de página al... • https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18578
https://notcve.org/view.php?id=CVE-2018-18578
22 Oct 2018 — DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante el parámetro type en plus/qrcode.php. • https://github.com/ky-j/dedecms/files/2500328/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18579
https://notcve.org/view.php?id=CVE-2018-18579
22 Oct 2018 — Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. Existe Cross-Site Scripting (XSS) reflejado en DedeCMS 5.7 SP2 mediante el parámetro folder en /member/pm.php. • https://github.com/ky-j/dedecms/files/2501671/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7sp2.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16784
https://notcve.org/view.php?id=CVE-2018-16784
21 Sep 2018 — DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. DedeCMS 5.7 SP2 permite la inyección de XML y una ejecución remota de código como resultado mediante una subcadena " • https://github.com/ky-j/dedecms/issues/3 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16786
https://notcve.org/view.php?id=CVE-2018-16786
21 Sep 2018 — DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante un atributo onhashchange en el parámetro msg en /plus/feedback_ajax.php. • https://github.com/ky-j/dedecms/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16785
https://notcve.org/view.php?id=CVE-2018-16785
19 Sep 2018 — XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell Existe una vulnerabilidad de inyección XML en el archivo de DedeCMS en su versión 5.7 SP2 que puede ser empleada por los atacantes para crear un archivo script para obtener un webshell. • https://github.com/ky-j/dedecms/issues/4 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-12045
https://notcve.org/view.php?id=CVE-2018-12045
08 Jun 2018 — DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=upload request with an upfile1 parameter, as demonstrated by uploading a .php file. DedeCMS hasta la versión V5.7SP2 permite la subida de archivos arbitrarios en dede/file_manage_control.php mediante una petición dede/file_manage_view.php?fmdo=upload con un parámetro upfile1, tal y como queda demostrado con la subida de un archivo .php. • https://github.com/SukaraLin/php_code_audit_project/blob/master/dedecms/dedecms%20v5.7%20sp2%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2018-12046
https://notcve.org/view.php?id=CVE-2018-12046
08 Jun 2018 — DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file. DedeCMS hasta la versión V5.7SP2 permite la escritura de archivos arbitrarios en dede/file_manage_control.php mediante una petición dede/file_manage_view.php?fmdo=newfile con los parámetros name y str, tal y como queda demostrado con la escritura a un nuevo archivo .php. • https://github.com/SukaraLin/php_code_audit_project/blob/master/dedecms/dedecms%20v5.7%20sp2%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md • CWE-20: Improper Input Validation •