DedeCMS 5.7 漏洞列表

DeDeCMS 5.7 contains a cross-site scripting vulnerability in the '/include/dialog/config.php' file. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. shodan-query: http.html:"DedeCms" fofa-query: app="DedeCMS"

DedeCMS 5.7 SP2 is vulnerable to cross-site scripting via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.

DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php

Directory traversal vulnerability in DedeCMS 5.7.87 allows reading sensitive files via the $activepath parameter.

Manipulation of the rssurl parameter in co_do.php leads to server-side request forgery in DedeCMS version 5.7.109.