PT-2018-18905 · Dedecms · Dedecms
Published
2018-04-02
·
Updated
2018-05-02
·
CVE-2018-9174
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
DedeCMS version 5.7
Description
The issue allows remote attackers to execute arbitrary PHP code. This is possible because the contents of modifytmp.inc are under an attacker's control, specifically through the
refiles array parameter in sys verifies.php.Recommendations
For DedeCMS version 5.7, consider restricting access to the sys verifies.php file until a patch is available, and avoid using the
refiles array parameter in this context to minimize the risk of exploitation.Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dedecms