CVE-2024-2821 in DedeCMSinfo

Summary

by MITRE • 03/22/2024

A vulnerability, which was classified as problematic, has been found in DedeCMS 5.7. Affected by this issue is some unknown functionality of the file /src/dede/friendlink_edit.php. The manipulation of the argument id leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257708. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/13/2025

The vulnerability identified as CVE-2024-2821 represents a critical cross-site request forgery flaw discovered in DedeCMS 5.7 content management system. This vulnerability resides within the /src/dede/friendlink_edit.php file and specifically targets the id argument parameter, creating a significant security risk for affected systems. The flaw allows malicious actors to manipulate the id argument in ways that can execute unauthorized actions within the CMS environment, potentially leading to unauthorized modifications of friend link configurations and other related functionalities.

The technical nature of this vulnerability places it squarely within the CWE-352 category, which specifically addresses Cross-Site Request Forgery vulnerabilities. This classification indicates that the flaw enables attackers to trick authenticated users into performing unintended actions on a web application where they are currently authenticated. The remote exploitability aspect means that attackers can leverage this vulnerability without requiring physical access to the target system, making it particularly dangerous in web-based environments where CMS platforms are commonly deployed.

The operational impact of this vulnerability extends beyond simple data manipulation, as it can potentially enable attackers to compromise the integrity of the CMS's friend link management system. This could result in unauthorized link additions, modifications, or deletions that might be used for phishing campaigns, malicious redirection, or to undermine the credibility of the website. Given that the exploit has been publicly disclosed and is reportedly available for use, the risk exposure is heightened, particularly for organizations that have not yet applied patches or mitigations. The lack of vendor response to early disclosure attempts compounds the security risk, leaving affected systems vulnerable without official remediation guidance.

Organizations utilizing DedeCMS 5.7 should immediately implement defensive measures including input validation and sanitization of the id parameter, implementation of anti-CSRF tokens, and thorough review of access controls for administrative functions. The vulnerability demonstrates the critical importance of maintaining current security patches and implementing proper security monitoring for web applications. Additionally, network segmentation and web application firewalls can provide additional layers of protection while waiting for official vendor remediation. The incident underscores the necessity of proactive vulnerability management and the importance of establishing clear communication channels with software vendors to address security concerns promptly.

Responsible

VulDB

Reservation

03/22/2024

Disclosure

03/22/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00397

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!