CVE-2018-16784

Name of the Vulnerable Software and Affected Versions DedeCMS version 5.7 SP2

Description The issue allows for XML injection, which can lead to remote code execution. This is achieved by using a specific substring: "<file type='file' name='../" in an API request.

Recommendations For DedeCMS version 5.7 SP2, as a temporary workaround, consider restricting access to XML processing functions until a patch is available. Avoid using the name parameter in XML requests that could lead to directory traversal, such as '../', until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.