CRITICAL🇵🇱 Wersja polska

CVE-2024-29684

CVSS 9.8v3.1pub. 2024-03-26upd. 2025-04-01

DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /src/dede/makehtml_homepage.php allowing a remote attacker to execute arbitrary code.

🤖 AI Analysis
How it works

An attacker can construct a malicious HTTP request directed at the /src/dede/makehtml_homepage.php component and trick a logged-in user (e.g., administrator) into executing it unknowingly. The lack of proper origin verification mechanisms allows a CSRF attack to be carried out, resulting in arbitrary code execution on the server side. The attacker does not need to possess any privileges or require interaction other than convincing the victim to visit a malicious page.

Impact

Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which may lead to complete takeover of the application, data disclosure, or data modification.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is also recommended to implement CSRF protection mechanisms (CSRF tokens) and restrict access to the admin panel to trusted IP addresses.

Who is affected

DedeCMS v5.7 — /src/dede/makehtml_homepage.php component

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dedecms

    APP
    Dedecms
    5.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-30643CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)

CVE-2026-30694CRITICAL9.8PL ✓ten sam produkt

RCE w DedeCMS poprzez komponent array_filter

CVE-2024-35510CRITICAL9.8PL ✓ten sam produkt

DedeCMS – arbitrary file upload umożliwiający RCE

CVE-2024-35375CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym

CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt

DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php