An issue in DedeCMS v.5.7.118 and before allows a remote attacker to execute arbitrary code via the array_filter component
The vulnerability classified as CWE-94 (Code Injection) affects the array_filter component in DedeCMS. An attacker can supply specially crafted input data that is then processed by this component in a way that allows injection and execution of arbitrary code on the server side. The attack is possible remotely over the network without requiring authentication or user interaction.
An attacker can gain full control over the server — including reading, modifying or deleting data, as well as installing a backdoor or executing arbitrary code with the privileges of the web server process.
Apply patches available from the vendor according to the references. Until an update is applied, it is recommended to restrict access to the DedeCMS administration panel at the firewall level and monitor suspicious network traffic.
DedeCMS version 5.7.118 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDedecms
APPDedecms≤ 5.7.118
Related vulnerabilities
DedeCMS 5.7.118 — zdalne wykonanie kodu przez upload modułu (RCE)
DedeCMS – arbitrary file upload umożliwiający RCE
DedeCMS 5.7.114 — arbitrary file upload w panelu administracyjnym
DedeCMS – nieautoryzowane usunięcie dowolnego pliku przez mail_file_manage.php
Krytyczne RCE przez File Upload w DedeCMS v5.7