DedeCMS Cross-Site Request Forgery Vulnerability in Task Management Component

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in DedeCMS version 5.7.118, specifically within the task management component located at 'dede/sys_task_add.php'. This vulnerability arises because the application fails to properly validate CSRF protection for the 'save' action on the affected page. As a result, an attacker can create a malicious HTML page that, when visited by an authenticated administrator, automatically sends a forged POST request to the vulnerable endpoint. This could lead to the unauthorized creation of scheduled tasks in the administrator's context, potentially causing further security issues depending on the configuration of scheduled tasks on the affected system.

Impact

Exploitation of this vulnerability could allow for the unauthorized creation of scheduled tasks under the administrator's account, which could be misused for malicious purposes, especially if the tasks are configured to perform sensitive actions or access critical data.