CVE-2018-7700
HIGH EXPLOITED NUCLEIdedecms 5.7 - Cross-Site Request Forgery to Remote Code Execution via partcode Parameter
Title source: llmExploitation Summary
CVE-2018-7700 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Nuclei Templates (1)
DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
HIGHby pikpikcu
Shodan:
http.html:"dedecms" || cpe:"cpe:2.3:a:dedecms:dedecms"
FOFA:
body="dedecms" || app="dedecms"
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://laworigin.github.io/2018/03/07/CVE-2018-7700-dedecms%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/
Scores
CVSS v3
8.8
EPSS
0.7171
EPSS Percentile
99.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-11-13
CWE
CWE-352
Status
published
Products (1)
dedecms/dedecms
5.7
Published
Mar 27, 2018
Tracked Since
Feb 18, 2026