Total
158 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17727 | 1 Dedecms | 1 Dedecms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. | |||||
| CVE-2017-17731 | 1 Dedecms | 1 Dedecms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | |||||
| CVE-2017-17730 | 1 Dedecms | 1 Dedecms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | |||||
| CVE-2022-46442 | 1 Dedecms | 1 Dedecms | 2025-04-11 | N/A | 9.8 CRITICAL |
| dedecms <=V5.7.102 is vulnerable to SQL Injection. In sys_ sql_ n query.php there are no restrictions on the sql query. | |||||
| CVE-2010-1097 | 1 Dedecms | 1 Dedecms | 2025-04-11 | 6.8 MEDIUM | N/A |
| include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php. | |||||
| CVE-2011-5200 | 1 Dedecms | 1 Dedecms | 2025-04-11 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) list.php, (2) members.php, or (3) book.php. | |||||
| CVE-2009-2270 | 1 Dedecms | 1 Dedecms | 2025-04-09 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in member/uploads_edit.php in dedecms 5.3 allows remote attackers to execute arbitrary code by uploading a file with a double extension in the filename, then accessing this file via unspecified vectors, as demonstrated by a .jpg.php filename. | |||||
| CVE-2009-3806 | 1 Dedecms | 1 Dedecms | 2025-04-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. | |||||
| CVE-2024-3685 | 1 Dedecms | 1 Dedecms | 2025-04-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in DedeCMS 5.7.112-UTF8. Affected is an unknown function of the file stepselect_main.php. The manipulation of the argument ids leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260472. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-3686 | 1 Dedecms | 1 Dedecms | 2025-04-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in DedeCMS 5.7.112-UTF8 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file update_guide.php. The manipulation of the argument files leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260473 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4790 | 1 Dedecms | 1 Dedecms | 2025-04-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-30946 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 5.5 MEDIUM |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/co_do.php. | |||||
| CVE-2024-30965 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 8.8 HIGH |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/member_scores.php. | |||||
| CVE-2024-29661 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 9.8 CRITICAL |
| A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload. | |||||
| CVE-2024-29660 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 5.3 MEDIUM |
| Cross Site Scripting vulnerability in DedeCMS v.5.7 allows a local attacker to execute arbitrary code via a crafted payload to the stepselect_main.php component. | |||||
| CVE-2024-33749 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 9.1 CRITICAL |
| DedeCMS V5.7.114 is vulnerable to deletion of any file via mail_file_manage.php. | |||||
| CVE-2024-34245 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.5 MEDIUM |
| An arbitrary file read vulnerability in DedeCMS v5.7.114 allows authenticated attackers to read arbitrary files by specifying any path in makehtml_js_action.php. | |||||
| CVE-2024-34959 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 5.5 MEDIUM |
| DedeCMS V5.7.113 is vulnerable to Cross Site Scripting (XSS) via sys_data_replace.php. | |||||
| CVE-2024-35375 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 9.8 CRITICAL |
| There is an arbitrary file upload vulnerability on the media add .php page in the backend of the website in version 5.7.114 of DedeCMS | |||||
| CVE-2024-35510 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.114 allows attackers to execute arbitrary code via uploading a crafted file. | |||||