SQL Injection Flaw in DedeCMS Affects Version 5.7.112
CVE-2024-3148

8.8HIGH

Key Information:

Vendor
DedeCMS
Status
Dedecms
Vendor
CVE Published:
2 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant vulnerability exists in DedeCMS version 5.7.112, where improper handling of the script dede/makehtml_archives_action.php allows attackers to execute SQL injection attacks remotely. This flaw enables malicious users to alter database queries, potentially compromising sensitive data and system integrity. Although the vendor was informed of this issue, no response has been documented, leaving users at risk. It is critical for users of DedeCMS to apply necessary security measures or consider upgrading their systems to mitigate potential exploitation.

Affected Version(s)

DedeCMS 5.7.112

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3148 - Proof of Concept

References

https://vuldb.com/?id.258923
vdb-entry
https://vuldb.com/?ctiid.258923
signaturepermissions-required
https://vuldb.com/?submit.303889
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

Credit

gatsby (VulDB User)
.