CVE-2019-8362

Name of the Vulnerable Software and Affected Versions DedeCMS versions through V5.7SP2

Description The issue allows for arbitrary file upload in certain PHP files. This can be achieved by sending a request to specific API endpoints, such as "/dede/album edit.php" or "/dede/album add.php", with a ZIP archive containing a malicious file, for example, "1.jpg.php". The input validation is insufficient, as it only checks for the presence of certain substrings like ".jpg", ".png", or ".gif" in the file name, without verifying the file's content or name.

Recommendations For DedeCMS versions through V5.7SP2, consider disabling the upload functionality in dede/album edit.php and dede/album add.php until a patch is available. Restrict access to these files to minimize the risk of exploitation. Avoid using the formzip parameter in the affected API endpoints until the issue is resolved.