CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18608
https://notcve.org/view.php?id=CVE-2018-18608
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante la función llamada GetPageList definida en el archivo include/datalistcp.class.php que se emplea para mostrar la lista de números de página al final de algunas plantillas. Esto queda demostrado por PATH_INFO en /member/index.php, /member/pm.php, /member/content_list.php o /plus/feedback.php. • https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx https://github.com/ky-j/dedecms/issues/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18578
https://notcve.org/view.php?id=CVE-2018-18578
DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante el parámetro type en plus/qrcode.php. • https://github.com/ky-j/dedecms/files/2500328/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.docx https://github.com/ky-j/dedecms/issues/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18579
https://notcve.org/view.php?id=CVE-2018-18579
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter. Existe Cross-Site Scripting (XSS) reflejado en DedeCMS 5.7 SP2 mediante el parámetro folder en /member/pm.php. • https://github.com/ky-j/dedecms/files/2501671/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7sp2.docx https://github.com/ky-j/dedecms/issues/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16784
https://notcve.org/view.php?id=CVE-2018-16784
DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. DedeCMS 5.7 SP2 permite la inyección de XML y una ejecución remota de código como resultado mediante una subcadena " • https://github.com/ky-j/dedecms/issues/3 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16786
https://notcve.org/view.php?id=CVE-2018-16786
DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php. DedeCMS 5.7 SP2 permite Cross-Site Scripting (XSS) mediante un atributo onhashchange en el parámetro msg en /plus/feedback_ajax.php. • https://github.com/ky-j/dedecms/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •