DedeCMS
CVE-2025-15004
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in DedeCMS up to version 5.7.118 via the orderby parameter in /freelist_main.php allows authenticated remote attackers to execute arbitrary SQL queries with low impact on confidentiality, integrity, and availability. Publicly available exploit code exists and the vulnerability requires valid user authentication (PR:L) to exploit, significantly limiting real-world risk despite network accessibility.
Technical ContextAI
DedeCMS is a PHP-based open-source content management system. The vulnerability exists in the /freelist_main.php file, where the orderby parameter is passed to a database query without proper input validation or parameterized query protection. This represents a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) vulnerability where user-supplied input is not sanitized before being incorporated into SQL statements. The attack vector is network-based (AV:N), exploitable with low attack complexity (AC:L), and requires authenticated access (PR:L), indicating the parameter handling fails to implement prepared statements or input filtering for database operations.
RemediationAI
Upgrade DedeCMS to a version newer than 5.7.118 that includes input validation and parameterized query fixes for the orderby parameter in /freelist_main.php. If immediate upgrade is not feasible, implement Web Application Firewall (WAF) rules to block requests containing SQL keywords (SELECT, UNION, OR, AND) in the orderby parameter, though this may cause false positives on legitimate queries. Apply strict input validation at the application layer to accept only whitelisted column names for the orderby parameter (e.g., regex pattern matching against allowed field names). Restrict access to /freelist_main.php to trusted internal networks or authenticated users with minimal privilege levels. Review DedeCMS security advisories and vendor documentation for patch availability and release notes confirming SQL injection fixes.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today