CVE-2018-9134

Name of the Vulnerable Software and Affected Versions DedeCMS version 5.7

Description The issue concerns a CSRF vulnerability in the file manage control.php file. This vulnerability can be exploited by renaming an arbitrary file under uploads/userup to a .php file under the web root, allowing for PHP code execution. The oldfilename and newfilename parameters are used in this process.

Recommendations For DedeCMS version 5.7, as a temporary workaround, consider restricting access to the file manage control.php file and the fmdo=rename action to minimize the risk of exploitation. Avoid using the oldfilename and newfilename parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.