Exploit
CVE-2024-6940

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Jul 21, 2024 / Updated: 4mo ago

010
CVSS 5.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been identified in DedeCMS version 5.7.114, specifically affecting an unknown part of the file article_template_rand.php. This vulnerability allows for code injection and can be exploited remotely without requiring user interaction. The attack complexity is considered low, but it does require high privileges to execute. The vulnerability has been publicly disclosed, potentially increasing the risk of exploitation.

Impact

If successfully exploited, this vulnerability could allow an attacker to inject and execute arbitrary code on the affected DedeCMS system. The potential impacts include: 1. Unauthorized access: Attackers could gain high-level access to the system. 2. Data manipulation: The integrity of the website content and database could be compromised. 3. System compromise: Attackers might be able to take control of the server hosting DedeCMS. 4. Information disclosure: Sensitive data stored in the CMS could be exposed. While the CVSS v4 base score is 5.1 (Medium severity), the vulnerability is classified as critical, indicating its potential for severe consequences. The CVSS v3.1 base score is higher at 7.2, reflecting a High severity rating. This discrepancy suggests that the vulnerability's impact could be significant despite the lower v4 score.

Exploitation

One proof-of-concept exploit is available on gitee.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information available, no official patch has been released for this vulnerability. The vendor (DedeCMS) was contacted about this issue but did not respond, suggesting that an official fix may not be immediately available. Users of DedeCMS 5.7.114 should consider this vulnerability unpatched and take appropriate mitigation measures.

Mitigation

Given the absence of an official patch, consider implementing the following mitigation strategies: 1. Access Control: Strictly limit access to the affected file (article_template_rand.php) and the DedeCMS admin interface to only trusted, necessary users. 2. Input Validation: Implement rigorous input validation and sanitization for all user-supplied data that interacts with the affected file. 3. Network Segmentation: If possible, place the DedeCMS server behind a reverse proxy or WAF to filter malicious requests. 4. Monitoring: Enhance logging and monitoring for the DedeCMS installation, particularly focusing on activities related to article_template_rand.php. 5. Temporary Measures: If feasible, consider temporarily disabling the affected functionality without disrupting critical operations. 6. Update Strategy: Regularly check for updates from DedeCMS and be prepared to apply a patch as soon as it becomes available. 7. Alternative Solutions: Evaluate the possibility of upgrading to a newer, unaffected version of DedeCMS if available, or consider alternative CMS solutions if the risk is deemed too high. Given the critical nature of this vulnerability and its potential for remote exploitation, prioritize these mitigation efforts and closely monitor the system for any signs of compromise.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-6940. See article

Jul 21, 2024 at 5:40 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 21, 2024 at 5:40 AM
CVE Assignment

NVD published the first details for CVE-2024-6940

Jul 21, 2024 at 6:15 AM
CVSS

A CVSS base score of 4.7 has been assigned.

Jul 21, 2024 at 6:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16%)

Jul 21, 2024 at 11:10 AM
Trending

This CVE started to trend in security discussions

Jul 21, 2024 at 12:24 PM
Trending

This CVE stopped trending in security discussions

Jul 22, 2024 at 7:40 PM
CVSS

A CVSS base score of 7.2 has been assigned.

Sep 10, 2024 at 8:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 10, 2024 at 11:11 PM
Static CVE Timeline Graph

Affected Systems

Dedecms/dedecms
+null more

Exploits

https://gitee.com/fushuling/cve/blob/master/dedeCMS%20V5.7.114%20article_template_rand.php%20code%20injection.md
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

CVE-2024-6940 Exploit
CVE Id : CVE-2024-6940 Published Date: 2024-09-10T20:12:00+00:00 A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE:
CVE-2024-6940
Medium Severity Description A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Read more at https://www.tenable.com/cve/CVE-2024-6940
NA - CVE-2024-6940 - A vulnerability was found in DedeCMS 5.7.114....
Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA Calculate full CVSS 3.0 Vectors scores Cvss vector : Cvss Base Score N/A Attack Range N/A Cvss Impact Score N/A Attack Complexity N/A Cvss Expoit Score N/A Authentication N/A Calculate full CVSS 2.0 Vectors scores
CVE-2024-6940 - Exploits & Severity - Feedly
Feedly estimated the CVSS score as HIGH This affects an unknown part of the file article_template_rand.php.
Critical Vulnerability in DedeCMS 5.7.114 Allow Remote Code Injection
- MEDIUM - CVE-2024-6940 A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI