Skip to main content

Dedecms CVE-2018-16784

HIGH
XML Injection (aka Blind XPath Injection) (CWE-91)
2018-09-21 cve@mitre.org
7.2
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 21, 2018 - 15:29 nvd
HIGH 7.2

DescriptionNVD

DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.

AnalysisAI

DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-91. DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. Affected products include: Dedecms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-17731 CRITICAL POC
9.8 Dec 18

DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. Rated critical severity (CVSS 9

CVE-2017-17730 CRITICAL POC
9.8 Dec 18

DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. Rated critical severity (CVSS 9.8),

CVE-2024-35510 CRITICAL POC
9.8 May 28

An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.114 allows attackers to execute

CVE-2024-29684 CRITICAL POC
9.8 Mar 26

DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /src/dede/makehtml_homepage

CVE-2023-37839 CRITICAL POC
9.8 Jul 13

An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.109 allows attackers to execute

CVE-2023-3578 CRITICAL POC
9.8 Jul 10

A vulnerability classified as critical was found in DedeCMS 5.7.109. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2023-2056 CRITICAL POC
9.8 Apr 14

A vulnerability was found in DedeCMS up to 5.7.87 and classified as critical.php. Rated critical severity (CVSS 9.8), th

CVE-2022-35516 CRITICAL POC
9.8 Aug 17

DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php. Rated critical s

CVE-2022-34531 CRITICAL POC
9.8 Jul 29

DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE) vulnerability via the component mytag_ main.php.

CVE-2018-19061 CRITICAL POC
9.8 Nov 07

DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. Rated critical severity (CVSS 9.8), this vulnera

CVE-2018-12045 CRITICAL POC
9.8 Jun 08

DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_manage_control.php via a dede/file_manage_view.php?fmd

CVE-2024-33749 CRITICAL POC
9.1 May 06

DedeCMS V5.7.114 is vulnerable to deletion of any file via mail_file_manage.php. Rated critical severity (CVSS 9.1), thi

Share

CVE-2018-16784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy