Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36298: GitHub - MentalityXt/Dedecms-v5.7.109-RCE

DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE).

CVE
Open in Source
#vulnerability#web#git#php#rce

Dedecms-v5.7.109-RCE

Since CVE-2022-43192 is not fully fixed, Dedecms still has a file upload vulnerability, leading to RCE. After the vendor released 8 versions of patch updates, I still discovered a vulnerability here. And the exploitation method is different from CVE-2022-43192.

Vulnerability to reproduce

Log in to the backend of the website.

Upload the file phpinfo.php, the content of the file is as follows:

Visit phpinfo.php:

Vulnerability Analysis

After adding comments using the /**/ symbol in PHP, any code within the comment block will not be checked and can be easily uploaded. However, during actual access, the /**/ comment symbols may not work as expected and the code within can still be executed.

Related news

CVE-2022-43192: GitHub - linchuzhu/Dedecms-v5.7.101-RCE

An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE