Description
A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/ky-j/dedecms/issues/1
Scores
CVSS v3
9.8
EPSS
0.0056
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
dedecms/dedecms
5.7 sp2
Published
Apr 25, 2018
Tracked Since
Feb 18, 2026