CVE-2018-18608

Name of the Vulnerable Software and Affected Versions DedeCMS version 5.7 SP2

Description The issue allows for XSS attacks through the GetPageList function defined in the datalistcp.class.php file. This function is used to display page numbers at the bottom of certain templates. Attacks can be demonstrated via the PATH INFO to various endpoints, such as "/member/index.php", "/member/pm.php", "/member/content list.php", or "/plus/feedback.php".

Recommendations For DedeCMS version 5.7 SP2, consider disabling the GetPageList function until a patch is available to prevent potential XSS attacks. Restrict access to the datalistcp.class.php file to minimize the risk of exploitation. Avoid using the affected templates that utilize the GetPageList function for displaying page numbers.