CVE-2018-9134
HIGHDedeCMS 5.7 - Cross-Site Request Forgery via File Rename Action
Title source: llmDescription
file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.
References (2)
Core 2
Core References
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/141335
Broken Link x_refsource_misc
https://xz.aliyun.com/t/2234
Scores
CVSS v3
8.8
EPSS
0.0030
EPSS Percentile
53.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
dedecms/dedecms
5.7
Published
Mar 30, 2018
Tracked Since
Feb 18, 2026