CVE-2018-20129

Name of the Vulnerable Software and Affected Versions DedeCMS version V5.7 SP2

Description A security issue was found that allows remote attackers to upload and execute arbitrary PHP code. This can be achieved by using a double extension and a modified ".php" substring in the filename, in conjunction with the image/jpeg content type. For example, using the filename 1.jpg.p*hp can exploit this issue.

Recommendations For DedeCMS version V5.7 SP2, consider restricting the upload of files with double extensions or modifying the .php substring to prevent the execution of arbitrary PHP code. As a temporary workaround, restrict access to the select images post.php file in the uploads/include/dialog directory to minimize the risk of exploitation.