CVE-2024-28675 – DedeCMS v5.7 contains a CSRF vulnerability in t... (How to Fix)

📋 TL;DR

DedeCMS v5.7 contains a CSRF vulnerability in the /dede/diy_edit.php endpoint that allows attackers to trick authenticated administrators into performing unauthorized actions. This affects all DedeCMS v5.7 installations with the default configuration. Attackers can modify content, change settings, or perform other administrative actions without the victim's knowledge.

💻 Affected Systems

Products:

DedeCMS

Versions: v5.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the /dede/diy_edit.php endpoint accessible and administrative accounts available.

📦 What is this software?

Dedecms by Dedecms

View all CVEs affecting Dedecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through administrative account compromise, content defacement, or injection of malicious code leading to data theft.

🟠

Likely Case

Unauthorized content modification, configuration changes, or injection of SEO spam/backdoors through tricked administrators.

🟢

If Mitigated

Limited impact with proper CSRF protections, admin awareness, and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated administrator to visit a malicious page while logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for official patch from DedeCMS developers
2. Apply patch if available
3. Verify fix by testing CSRF protection on /dede/diy_edit.php

🔧 Temporary Workarounds

Add CSRF Token Protection

all

Implement CSRF tokens in the diy_edit.php form and validate them on submission

Manual code modification required - add token generation and validation

Restrict Access to Admin Interface

all

Limit access to /dede/ directory to trusted IP addresses only

# Apache: Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: allow 192.168.1.0/24;
deny all;

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require re-authentication for sensitive actions
Use web application firewall (WAF) rules to detect and block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Test if /dede/diy_edit.php accepts POST requests without CSRF tokens when authenticated

Check Version:

Check DedeCMS version in system configuration or /data/common.inc.php

Verify Fix Applied:

Verify CSRF tokens are required and validated for all POST requests to /dede/diy_edit.php

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /dede/diy_edit.php from different referrers
Unauthorized modifications from admin accounts

Network Indicators:

HTTP requests to /dede/diy_edit.php with suspicious referrer headers
Cross-origin requests to admin endpoints

SIEM Query:

source="web_logs" AND uri="/dede/diy_edit.php" AND method="POST" AND referrer NOT CONTAINS "your-domain.com"

📊 Metadata

CVE ID: CVE-2024-28675

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: March 13, 2024

Last Updated: April 1, 2025

🔗 References

https://github.com/777erp/cms/blob/main/12.md Exploit,Third Party Advisory
https://github.com/777erp/cms/blob/main/12.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28675, you might also want to check these: