Vulnerability: DedeCMS 5.7 SP2 - Cross-Site Scripting

DedeCMS 5.7 SP2 is vulnerable to cross-site scripting via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.

Impact

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim’s browser, leading to session hijacking, defacement, or theft of sensitive information.

Severity

medium

Verified

Unknown