CVE-2022-43031 DedeCMS v6.1.9 has a CSRF flaw that allows attackers to add administrator accounts and modify admin passwords.

This vulnerability occurs due to the presence of an untrusted data source when a user with the ‘Administrator’ account type tries to login to the application. An attacker can exploit this CSRF vulnerability to login as an administrator and change the Admin password, add new Administrator accounts, etc. In addition, an attacker can also use this vulnerability to perform arbitrary actions on the application like view/modify/delete any data. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest version as soon as possible. DedeCMS Security Team has released a new patch for DedeCMS v6.1.9. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest version as soon as possible. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest version as soon as possible. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest version as soon as possible. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest version as soon as possible. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest version as soon as possible. DedeCMS v6.1.9 has been patched. Users are advised to upgrade to the latest

Introduction

DedeCMS is a flexible content management system that needs to be secure. One of the vulnerabilities, CSRF, can be exploited by an attacker to change the administrator password and perform other actions on the application.

DedeCMS version string

The vulnerability in DedeCMS is detected by CVE-2022-43031.
DedeCMS is vulnerable to a CSRF attack which can be exploited by an attacker who uses the application to change the admin password, add new administrator accounts, etc. In addition, an attacker can also use this vulnerability to perform arbitrary actions on the application like view/modify/delete any data.
DedeCMS v6.1.9 has been patched and users are advised to upgrade to the latest version as soon as possible.

DedeCMS 6.1.9 and 6.2 Implementation Notes

The following is a list of the changes made to the DedeCMS 6.1.9 release:
- The latest CVE-2022-43031 fix was implemented in this release.
- We updated our website with more information about CVE-2022-43031 and the work done to address it.
- We fixed a couple of minor bugs that were discovered after the release mentioned above (see below).

DedeCMS v6.1 has been patched. Users are advised to upgrade to the latest version as soon as possible.
DedeCMS v6.2 has been patched. Users are advised to upgrade to the latest version as soon as possible.

DedeCMS Security Vulnerability Development guideline

This vulnerability was patched in DedeCMS v6.1.9 and the patch can be downloaded from our website as well as from all users' servers. Version 6.1.9 has been released to fix this vulnerability and includes all fixes released in previous versions of DedeCMS:
DedeCMS v6.1.2
DedeCMS v6.0
DedeCMS v5.9
DedeCMS v5.8

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/10/2022 14:24:00 UTC

References

• https://github.com/cai-niao98/Dedecmsv6
• https://gist.github.com/cai-niao98/77a7aa934492c2d651b37b75243eda0b
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43031