CRITICAL🇵🇱 Wersja polska

CVE-2024-35510

CVSS 9.8v3.1pub. 2024-05-28upd. 2025-04-01

An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.114 allows attackers to execute arbitrary code via uploading a crafted file.

🤖 AI Analysis
How it works

The vulnerability exists in the /dede/file_manage_control.php script, which does not impose sufficient restrictions on the type or content of uploaded files. An attacker can upload a crafted file (e.g., PHP webshell) without needing special privileges or victim interaction. After successfully uploading such a file to the server, the attacker can remotely trigger its execution by the web server, thereby gaining full control over the application.

Impact

An attacker can remotely execute arbitrary code on the server (RCE), leading to complete takeover of the application and potentially the entire server – confidentiality, integrity, and system availability are compromised.

Mitigation & patch

Patches available from the vendor should be applied according to references. As a temporary measure, it is recommended to restrict access to the /dede/ directory exclusively to trusted IP addresses at the firewall or web server configuration level, and to disable file upload and execution capabilities in user directories.

Who is affected

DedeCMS v5.7.114

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dedecms

    APP
    Dedecms
    5.7.114
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-30643CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)

CVE-2026-30694CRITICAL9.8PL ✓ten sam produkt

RCE w DedeCMS poprzez komponent array_filter

CVE-2024-35375CRITICAL9.8PL ✓ten sam produkt

DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym

CVE-2024-33749CRITICAL9.1PL ✓ten sam produkt

DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php

CVE-2024-29661CRITICAL9.8PL ✓ten sam produkt

Krytyczne RCE przez File Upload w DedeCMS v5.7