SQL Injection Vulnerability in DedeCMS by DedeTech
CVE-2023-27709

7.2HIGH

Key Information:

Vendor: Dedecms
Status: Dedecms
Vendor: CVE Published:; 16 March 2023

What is CVE-2023-27709?

A significant SQL injection vulnerability exists in DedeCMS v5.7.106, which allows remote attackers to manipulate SQL queries by exploiting the rank_* parameter in the /dedestory_catalog.php script. This flaw can result in unauthorized access to the database and the execution of arbitrary SQL commands, enabling malicious actors to compromise sensitive data or execute malicious scripts on the server.

References

https://srpopty.github.io/2023/02/27/DedeCMS-V5.7.160-Bac...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 16, 2023
Vulnerability Reserved
Mar 5, 2023

Dedecms

What is CVE-2023-27709?

References

CVSS V3.1

Timeline