CRITICAL🇵🇱 Wersja polska

CVE-2024-29661

CVSS 9.8v3.1pub. 2024-04-22upd. 2025-04-01

A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload.

🤖 AI Analysis
How it works

The vulnerability consists in the ability to upload a crafted file to the server without proper verification of its type or content. An attacker can thereby place a malicious executable file (e.g., webshell) on the server, which is then executed on the server side. This results in the attacker's full control over the application environment.

Impact

The attacker can execute arbitrary code on the server (RCE), which may lead to takeover of the entire system, data theft, and further lateral movement in the network.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is also recommended to restrict access to file upload functions only to trusted users and to implement verification of file types and content of uploaded files at the server level.

Who is affected

DedeCMS v5.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dedecms

    APP
    Dedecms
    5.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-30643CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)

CVE-2026-30694CRITICAL9.8PL ✓ten sam produkt

RCE w DedeCMS poprzez komponent array_filter

CVE-2024-35510CRITICAL9.8PL ✓ten sam produkt

DedeCMS – arbitrary file upload umożliwiający RCE

CVE-2024-35375CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym

CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt

DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php