Submit #829415: DedeCMS DedeCMS Content Management System V5.7.88 SQL Injectioninfo

TitelDedeCMS DedeCMS Content Management System V5.7.88 SQL Injection
BeschreibungA Medium-severity SQL Injection vulnerability exists in the carbuyaction.php component of DedeCMS, affecting versions: V5.7.88. The vulnerability is located in the shopping cart checkout function, where user-controlled shipping information parameters (postname, address, email, des) are only processed by the RemoveXSS() and cn_substrR() functions. The RemoveXSS() function (located in include/helpers/filter.helper.php line 69) is designed to filter XSS attack vectors (e.g., control characters) and does not escape SQL special characters. These unescaped parameters are directly concatenated into INSERT SQL statements for the #@__shops_userinfo table at lines 190-192. Additionally, the $val['title'] (product title) parameter in the INSERT statement for the #@__shops_products table (lines 187-188) is also not subject to SQL escaping. Example payloads (POST request, any of the following parameters): 1. Using postname parameter: POST /plus/carbuyaction.php Parameter: postname=test' UNION SELECT 1,2,admin,pwd FROM dede_admin-- - 2. Using des parameter: POST /plus/carbuyaction.php Parameter: des=test' UNION SELECT 1,2,admin,pwd FROM dede_admin-- - Successful exploitation allows unauthenticated remote attackers to execute arbitrary SQL queries, extract sensitive data (including administrator credentials), and manipulate database records related to orders, user information, and products. This vulnerability is fully exploitable as the application fails to implement proper SQL escaping for user-controlled input in the checkout process. Vulnerability code location: carbuyaction.php lines 178-193, where user-controlled parameters are directly concatenated into INSERT SQL queries without proper SQL protection.
Benutzer
 R21Z20 (UID 97129)
Einreichung14.05.2026 07:25 (vor 21 Tagen)
Moderieren02.06.2026 13:30 (19 days later)
StatusAkzeptiert
VulDB Eintrag367915 [DedeCMS 5.7.88 /plus/carbuyaction.php RemoveXSS postname/des SQL Injection]
Punkte17

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!