A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload.
The vulnerability consists in the ability to upload a crafted file to the server without proper verification of its type or content. An attacker can thereby place a malicious executable file (e.g., webshell) on the server, which is then executed on the server side. This results in the attacker's full control over the application environment.
The attacker can execute arbitrary code on the server (RCE), which may lead to takeover of the entire system, data theft, and further lateral movement in the network.
Patches available from the vendor should be applied according to the references. It is also recommended to restrict access to file upload functions only to trusted users and to implement verification of file types and content of uploaded files at the server level.
DedeCMS v5.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDedecms
APPDedecms5.7
Related vulnerabilities
DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)
RCE w DedeCMS poprzez komponent array_filter
DedeCMS – arbitrary file upload umożliwiający RCE
DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym
DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php