CVE-2024-28671 – DedeCMS v5.7 contains a Cross-Site Request Forg... (How to Fix)

Q: What is the severity of CVE-2024-28671?

CVE-2024-28671 has a CVSS score of 8.8 (HIGH). DedeCMS v5.7 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /dede/stepselect_main.php endpoint. This allows attackers to trick authenticated administrators into performing unintended actions by visiting malicious web pages. Only DedeCMS v5.7 installations with administrative access are affected.

📋 TL;DR

DedeCMS v5.7 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /dede/stepselect_main.php endpoint. This allows attackers to trick authenticated administrators into performing unintended actions by visiting malicious web pages. Only DedeCMS v5.7 installations with administrative access are affected.

💻 Affected Systems

Products:

DedeCMS

Versions: v5.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to the DedeCMS backend for exploitation.

📦 What is this software?

Dedecms by Dedecms

View all CVEs affecting Dedecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative control over the CMS, modify content, install backdoors, or compromise the entire web server.

🟠

Likely Case

Attackers could modify website content, inject malicious scripts, or create administrative accounts for persistent access.

🟢

If Mitigated

With proper CSRF protections and administrative awareness, exploitation would be prevented despite the vulnerability existing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to weaponize once the vulnerable endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all administrative forms and validate them server-side

Manual code modification required - add token generation and validation to /dede/stepselect_main.php

Restrict Administrative Access

all

Limit administrative access to trusted IP addresses only

Add IP restrictions to .htaccess or web server configuration for /dede/ directory

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require re-authentication for sensitive actions
Use web application firewalls (WAF) with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check if /dede/stepselect_main.php endpoint exists and lacks CSRF protection by examining form submissions

Check Version:

Check DedeCMS version in admin panel or system configuration files

Verify Fix Applied:

Test that all administrative forms require and validate CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple administrative actions from same session in rapid succession
Unusual administrative actions from unexpected user agents

Network Indicators:

HTTP POST requests to /dede/stepselect_main.php without Referer headers or from external domains

SIEM Query:

web_access_logs WHERE (uri CONTAINS '/dede/stepselect_main.php' AND method = 'POST') AND (referer NOT CONTAINS own_domain OR referer IS NULL)

📊 Metadata

CVE ID: CVE-2024-28671

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: March 13, 2024

Last Updated: April 1, 2025

🔗 References

https://github.com/777erp/cms/blob/main/7.md Exploit,Third Party Advisory
https://github.com/777erp/cms/blob/main/7.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28671, you might also want to check these: