CVE-2024-2820 MEDIUM

CVE-2024-2820: DedeCMS baidunews.php cross-site request forgery

Vendor N/A

Product DedeCMS

Weakness CWE-352 · CSRF

Published March 22, 2024

Last update August 1, 2024

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A vulnerability classified as problematic was found in DedeCMS 5.7. Affected by this vulnerability is an unknown functionality of the file /src/dede/baidunews.php. The manipulation of the argument filename leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257707. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

March 22, 2024 CVE published

August 1, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-2820 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

04Related CVE

CVE-2022-43491 WordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 - Cross-Site Request Forgery (CSRF) vulnerability CVE-2024-56229 WordPress SearchIQ plugin <= 4.6 - Cross-Site Requst Forgery (CSRF) vulnerability CVE-2025-4966 WP Online Users Stats <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function CVE-2023-51522 WordPress Paid Membership Subscriptions plugin <= 2.10.4 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-52835 WordPress WING WordPress Migrator plugin <= 1.2.0 - Cross Site Request Forgery (CSRF) vulnerability