An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.
The vulnerability exploits the module upload mechanism in DedeCMS. An attacker can deliver a crafted module containing malicious tag values (setup tag values), which are then interpreted and executed by the application without proper validation. The lack of input sanitization leads to arbitrary code execution on the server side. The attack vector is network-based, requires no authentication or user interaction, making this vulnerability particularly dangerous.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which can lead to complete system compromise, data theft, backdoor installation, or further lateral movement within the infrastructure.
Apply patches available from the vendor according to the references. It is recommended to monitor updates on the official vendor website (dedecms.com) and — until the patch is deployed — restrict access to the module upload functionality exclusively to trusted, authenticated users, preferably at the firewall or network access control level.
DedeCMS version 5.7.118
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDedecms
APPDedecms≤ 5.7.118
Related vulnerabilities
RCE w DedeCMS poprzez komponent array_filter
DedeCMS – arbitrary file upload umożliwiający RCE
DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym
DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php
Krytyczne RCE przez File Upload w DedeCMS v5.7