CRITICAL🇵🇱 Wersja polska

CVE-2024-35375

CVSS 9.8v3.1pub. 2024-05-23upd. 2025-04-01

There is an arbitrary file upload vulnerability on the media add .php page in the backend of the website in version 5.7.114 of DedeCMS

🤖 AI Analysis
How it works

The vulnerability (CWE-434) results from insufficient validation of uploaded file types on the 'media add.php' page in the DedeCMS backend. An attacker can upload a file with malicious content (e.g., PHP webshell) while impersonating an allowed file type. Once such a file is placed on the server, it can be executed remotely through an appropriate HTTP request.

Impact

Successful exploitation of the vulnerability allows an attacker to execute code remotely (RCE) on the server, which may result in complete system takeover, data theft, backdoor installation, or further lateral movement in the network.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict access to the administration panel only to trusted IP addresses and implement file type control mechanisms at the web server and Web Application Firewall (WAF) level.

Who is affected

DedeCMS version 5.7.114

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dedecms

    APP
    Dedecms
    5.7.114
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-30643CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)

CVE-2026-30694CRITICAL9.8PL ✓ten sam produkt

RCE w DedeCMS poprzez komponent array_filter

CVE-2024-35510CRITICAL9.8PL ✓ten sam produkt

DedeCMS – arbitrary file upload umożliwiający RCE

CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt

DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php

CVE-2024-29661CRITICAL9.8PL ✓ten sam produkt

Krytyczne RCE przez File Upload w DedeCMS v5.7