CVE-2024-30855: Dedecms v5.7 CSRF Vulnerability

CVE-2024-30855 Overview

CVE-2024-30855 is a Cross-Site Request Forgery (CSRF) vulnerability in DedeCMS v5.7. The flaw resides in the /src/dede/makehtml_list_action.php endpoint, which fails to validate the origin or authenticity of incoming requests. An attacker can craft a malicious web page that, when visited by an authenticated DedeCMS administrator, triggers unauthorized administrative actions. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery and affects DedeCMS deployments running version 5.7.

Critical Impact
Successful exploitation allows attackers to perform administrative actions in the context of an authenticated DedeCMS user, leading to compromise of site content, configuration, and integrity.

Affected Products

DedeCMS v5.7
/src/dede/makehtml_list_action.php administrative endpoint
DedeCMS installations exposing the administrative interface to authenticated sessions

Discovery Timeline

2025-12-29 - CVE-2024-30855 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-30855

Vulnerability Analysis

The vulnerability stems from the absence of anti-CSRF protections in the makehtml_list_action.php script within the DedeCMS administrative directory. The endpoint accepts state-changing requests without verifying a synchronizer token, custom header, or request origin. Any authenticated administrator who visits an attacker-controlled page submits forged requests automatically through browser-issued cookies.

Exploitation requires user interaction, specifically the administrator browsing an attacker-controlled page while holding an active session. Because the endpoint executes server-side actions related to HTML list generation, forged requests can trigger backend operations that alter site state. The attack succeeds over the network and requires no credentials of the attacker's own.

Root Cause

The root cause is missing CSRF token validation [CWE-352] on the makehtml_list_action.php handler. DedeCMS does not enforce per-request, unpredictable tokens or SameSite cookie protections for administrative actions. Session authentication relies on cookies alone, which browsers transmit automatically with cross-origin form submissions.

Attack Vector

An attacker hosts a malicious HTML page containing an auto-submitting form or img tag targeting the vulnerable endpoint. When an authenticated DedeCMS administrator visits the page, the browser issues the forged request with valid session cookies. The DedeCMS server processes the request as legitimate and performs the requested administrative operation. Technical proof-of-concept details are available in the GitHub Gist PoC and the GitHub CMS Documentation.

Detection Methods for CVE-2024-30855

Indicators of Compromise

Unexpected POST requests to /src/dede/makehtml_list_action.php originating from external Referer or Origin headers.
Administrative actions logged outside normal working hours or from unfamiliar client IPs.
Unexplained regeneration of HTML list pages or modifications to published content.

Detection Strategies

Inspect web server access logs for requests to makehtml_list_action.php with Referer headers pointing to untrusted domains.
Correlate administrator session activity with browser navigation patterns to detect cross-site triggered actions.
Deploy a Web Application Firewall (WAF) rule to flag administrative POST requests lacking expected CSRF tokens or matching anti-CSRF heuristics.

Monitoring Recommendations

Enable verbose audit logging for all endpoints under the /src/dede/ directory.
Alert on administrative actions performed without preceding navigation to the corresponding admin UI page.
Monitor for sudden spikes in calls to makehtml_list_action.php from a single administrator session.

How to Mitigate CVE-2024-30855

Immediate Actions Required

Restrict access to the /src/dede/ administrative directory by IP allowlist or VPN-only access.
Require administrators to log out of DedeCMS sessions before browsing external sites.
Apply SameSite=Strict or SameSite=Lax attributes to DedeCMS session cookies to block cross-site cookie transmission.

Patch Information

No official vendor patch is referenced in the NVD entry for CVE-2024-30855 at the time of publication. Administrators should monitor the DedeCMS project channels for upstream fixes and apply them as soon as they become available.

Workarounds

Implement a reverse proxy or WAF rule that rejects requests to makehtml_list_action.php without a valid Referer matching the DedeCMS hostname.
Add a server-side CSRF token check by introducing a synchronizer token in administrative forms and validating it on the backend.
Enforce re-authentication for sensitive administrative operations to reduce the window of session reuse.

bash

# Example Nginx configuration to enforce Referer validation on the vulnerable endpoint
location = /src/dede/makehtml_list_action.php {
    valid_referers server_names;
    if ($invalid_referer) {
        return 403;
    }
    # Enforce SameSite cookies via add_header for admin paths
    add_header Set-Cookie "PHPSESSID=$cookie_PHPSESSID; Path=/; HttpOnly; Secure; SameSite=Strict";
    proxy_pass http://dedecms_backend;
}