Skip to main content

Dotclear

19 CVEs product

Monthly

CVE-2024-27626 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Dotclear version 2.29. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Dotclear
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2018-16358 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Dotclear
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-5690 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Dotclear
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2018-5689 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Dotclear
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2017-6446 MEDIUM PATCH This Month

XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and admin/users.php with the sortby and order parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Dotclear
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-8832 HIGH POC PATCH This Week

Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass PHP Dotclear
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2015-8831 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotclear before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the author name in a comment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Dotclear
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2016-7903 LOW PATCH Monitor

Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Dotclear
NVD
CVSS 3.0
3.7
EPSS
0.3%
CVE-2016-7902 HIGH PATCH This Week

Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE PHP File Upload Dotclear
NVD
CVSS 3.0
8.8
EPSS
2.4%
CVE-2016-9891 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Dotclear
NVD
CVSS 3.0
5.4
EPSS
0.4%
CVE-2016-6523 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the media manager in Dotclear before 2.10 allow remote attackers to inject arbitrary web script or HTML via the (1) q or (2) link_type parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS PHP Dotclear
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2016-9268 HIGH PATCH This Week

Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Dotclear
NVD
CVSS 3.0
7.2
EPSS
0.9%
CVE-2015-5651 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Dotclear before 2.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Dotclear
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2014-5316 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Dotclear
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2014-3782 MEDIUM This Month

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE PHP Dotclear
NVD
CVSS 2.0
6.0
EPSS
0.8%
CVE-2014-3781 MEDIUM POC This Month

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Dotclear
NVD
CVSS 2.0
5.8
EPSS
0.4%
CVE-2014-3783 MEDIUM This Month

SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

PHP SQLi Dotclear
NVD
CVSS 2.0
6.0
EPSS
0.3%
CVE-2014-1613 HIGH POC PATCH This Week

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP Code Injection Dotclear
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2012-1039 MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) login_data parameter to admin/auth.php; (2) nb. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Dotclear
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
2.6%
EPSS 0% CVSS 6.1
MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Dotclear version 2.29. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Dotclear
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Dotclear
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Dotclear
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Dotclear
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and admin/users.php with the sortby and order parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Dotclear
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass PHP Dotclear
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotclear before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the author name in a comment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Dotclear
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Dotclear
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE PHP File Upload +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Dotclear
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the media manager in Dotclear before 2.10 allow remote attackers to inject arbitrary web script or HTML via the (1) q or (2) link_type parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS PHP Dotclear
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Dotclear
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Dotclear before 2.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Dotclear
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Dotclear
NVD
EPSS 1% CVSS 6.0
MEDIUM This Month

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE PHP Dotclear
NVD
EPSS 0% CVSS 5.8
MEDIUM POC This Month

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Dotclear
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

PHP SQLi Dotclear
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP Code Injection +1
NVD
EPSS 3% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) login_data parameter to admin/auth.php; (2) nb. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Dotclear
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy