CVE-2024-3686 - OpenCVE

A vulnerability has been found in DedeCMS 5.7.112-UTF8 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file update_guide.php. The manipulation of the argument files leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260473 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/Echosssy/CVE/blob/main/Dedecms%E6%9C%80%E6%96%B0%E7%89%88%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4%E7%BB%95%E8%BF%87.pdf
https://vuldb.com/?ctiid.260473
https://vuldb.com/?id.260473
https://vuldb.com/?submit.309454

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2024-04-12T13:31:04.514Z

Updated: 2024-04-12T13:31:04.514Z

Reserved: 2024-04-12T06:40:40.895Z

Link: CVE-2024-3686

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-12T14:15:08.003

Modified: 2024-05-17T02:40:03.933

Link: CVE-2024-3686

JSON object: View

Redhat Information

No data.

CWE

CWE-24

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-3686", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-04-12T06:40:40.895Z", "datePublished": "2024-04-12T13:31:04.514Z", "dateUpdated": "2024-04-12T13:31:04.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-12T13:31:04.514Z"}, "title": "DedeCMS update_guide.php path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-24", "lang": "en", "description": "CWE-24 Path Traversal: '../filedir'"}]}], "affected": [{"vendor": "n/a", "product": "DedeCMS", "versions": [{"version": "5.7.112-UTF8", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in DedeCMS 5.7.112-UTF8 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file update_guide.php. The manipulation of the argument files leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260473 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "In DedeCMS 5.7.112-UTF8 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei update_guide.php. Durch Manipulation des Arguments files mit unbekannten Daten kann eine path traversal: '../filedir'-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "timeline": [{"time": "2024-04-12T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-04-12T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-04-12T08:45:45.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ting (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.260473", "name": "VDB-260473 | DedeCMS update_guide.php path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.260473", "name": "VDB-260473 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.309454", "name": "Submit #309454 | \u4e0a\u6d77\u5353\u5353\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8 Dedecms DedeCMS-V5.7.112-UTF8 any file deleted", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Echosssy/CVE/blob/main/Dedecms%E6%9C%80%E6%96%B0%E7%89%88%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4%E7%BB%95%E8%BF%87.pdf", "tags": ["exploit"]}]}}}

{"descriptions": [{"lang": "en", "value": "A vulnerability has been found in DedeCMS 5.7.112-UTF8 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file update_guide.php. The manipulation of the argument files leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260473 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en DedeCMS 5.7.112-UTF8 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo update_guide.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n de los archivos de argumentos conduce al path traversal: '../filedir'. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-260473. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2024-3686", "lastModified": "2024-05-17T02:40:03.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-04-12T14:15:08.003", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Echosssy/CVE/blob/main/Dedecms%E6%9C%80%E6%96%B0%E7%89%88%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4%E7%BB%95%E8%BF%87.pdf"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.260473"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.260473"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.309454"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-24"}], "source": "cna@vuldb.com", "type": "Secondary"}]}