CVE-2024-30855 – DedeCMS v5.7 contains a CSRF vulnerability in t... (How to Fix)

Q: What is the severity of CVE-2024-30855?

CVE-2024-30855 has a CVSS score of 8.8 (HIGH). DedeCMS v5.7 contains a CSRF vulnerability in the makehtml_list_action.php file that allows attackers to trick authenticated administrators into performing unauthorized actions. This affects all DedeCMS v5.7 installations with administrative interfaces accessible to users. Attackers can exploit this to modify system settings or content without the admin's knowledge.

📋 TL;DR

DedeCMS v5.7 contains a CSRF vulnerability in the makehtml_list_action.php file that allows attackers to trick authenticated administrators into performing unauthorized actions. This affects all DedeCMS v5.7 installations with administrative interfaces accessible to users. Attackers can exploit this to modify system settings or content without the admin's knowledge.

💻 Affected Systems

Products:

DedeCMS

Versions: v5.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with administrative access enabled and accessible to users.

📦 What is this software?

Dedecms by Dedecms

View all CVEs affecting Dedecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could completely compromise the CMS by tricking an admin into executing malicious requests that modify system configurations, inject backdoors, or delete critical content.

🟠

Likely Case

Attackers would typically use this to modify website content, inject malicious scripts, or change administrative settings to maintain persistence.

🟢

If Mitigated

With proper CSRF protections and admin awareness, the risk is significantly reduced as attacks require user interaction and authentication.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated as an administrator and to visit a malicious page while logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Apply workarounds or upgrade to a newer version if available.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF token validation to makehtml_list_action.php and all administrative endpoints

Edit /src/dede/makehtml_list_action.php to include CSRF token generation and validation

Restrict Administrative Access

all

Limit access to administrative interfaces to trusted IP addresses only

Add IP-based restrictions in .htaccess or web server configuration for /src/dede/ directory

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require re-authentication for sensitive actions
Use browser extensions that block CSRF attempts and educate administrators about phishing risks

🔍 How to Verify

Check if Vulnerable:

Check if /src/dede/makehtml_list_action.php exists and lacks CSRF token validation in the source code

Check Version:

Check DedeCMS version in system configuration or admin panel

Verify Fix Applied:

Verify that CSRF tokens are properly implemented and validated in the affected file

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to makehtml_list_action.php from different sessions in short time
Unusual administrative actions without corresponding user login patterns

Network Indicators:

HTTP requests to makehtml_list_action.php with unexpected referer headers
CSRF attack patterns in web application firewall logs

SIEM Query:

source="web_logs" AND uri="/src/dede/makehtml_list_action.php" AND method="POST" AND NOT referer CONTAINS "expected_domain"

📊 Metadata

CVE ID: CVE-2024-30855

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.02% exploit probability (4.9th percentile)

Published: December 29, 2025

Last Updated: January 2, 2026

🔗 References

https://gist.github.com/Limingqian123/e90a1b86c02bd83d4ab07c08cad9a629 Third Party Advisory
https://github.com/Limingqian123/cms/blob/main/1.md Exploit
https://github.com/Limingqian123/cms/blob/main/1.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30855, you might also want to check these: