CVE-2020-18917
HIGHdedecms 5.7 SP2 - Remote Code Execution via typename Parameter
Title source: llmDescription
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
http://tusk1.cn/2019/05/12/DeDecms-v5-7-sp2-CRSF-%E6%96%87%E4%BB%B6%E6%93%8D%E4%BD%9C-%E5%89%8D%E5%8F%B0getshell/
Scores
CVSS v3
8.8
EPSS
0.0020
EPSS Percentile
42.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
dedecms/dedecms
5.7 sp2
Published
Aug 24, 2021
Tracked Since
Feb 18, 2026