Primary

Context

DedeBIZ SQL Injection Vulnerability in Admin Freelist Main PHP

Vulnerability

A SQL injection vulnerability has been identified in DedeBIZ CMS versions through 6.3.2. The issue arises in the file /admin/freelist_main.php, where the orderby parameter is manipulated, allowing attackers to inject arbitrary SQL into the query. This vulnerability can be exploited remotely, and the details of the exploit are publicly available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the /admin/freelist_main.php file with the orderby parameter set to a crafted value that includes SQL injection payloads. The injection can be verified by extracting database information, such as using SQL functions that return data, like the database user.

Added: Nov 7, 2025, 3:17 PM

Updated: Nov 7, 2025, 9:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.6

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.6

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DedeBIZ SQL Injection Vulnerability in Admin Freelist Main PHP

Vulnerability

Impact

Reproduction

Affected Products

DedeBIZ

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating