CVE-2025-5137
Critical vulnerability in DedeCMS 5.7.117 causing code injection
Overview
A critical vulnerability was found in DedeCMS 5.7.117 which leads to code injection. The attack can be launched remotely. Despite patch for CVE-2018-9175, the incomplete fix still left the system vulnerable.
Technical Details
The flaw lies in an unknown function of the file dede/sys_verifies.php?action=getfiles within the system. The vulnerability arises from the manipulation of the argument 'refiles' resulting in code injection.
CVSS Metrics
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Required Priviliges: HIGH
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: LOW
Impact
Despite the moderate score, the impact is noteworthy due to its code injection capabilities. Remote attackers could potentially breach the systems.
Recommendations
Patching of software should be done as soon as updates are available. Reducing the amount of privileges needed for users can also help to mitigate the severity of this vulnerability.
Threat Metrics
- cvss_score: 4.7
- severity: MEDIUM
- attack_vector: NETWORK
- attack_complexity: LOW