CVE-2020-36493

Name of the Vulnerable Software and Affected Versions DedeCMS version 7.5 SP2

Description The issue is related to multiple cross-site scripting (XSS) vulnerabilities in the media main.php component. These vulnerabilities can be exploited via the activepath, keyword, tag, fmdo=x&filename, CKEditor, and CKEditorFuncNum parameters. The vulnerability is associated with a lack of protection for the web page structure, allowing a remote attacker to conduct XSS attacks.

Recommendations For DedeCMS version 7.5 SP2, consider disabling the media main.php component or restricting access to the vulnerable parameters activepath, keyword, tag, fmdo=x&filename, CKEditor, and CKEditorFuncNum until a patch is available. Additionally, avoid using the CKEditor and CKEditorFuncNum parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.