SRC-2021-0029 : Dedecms GetCookie Type Juggling Authentication Bypass Vulnerability



CVSS Score:

7.3, (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Vendors:


Affected Products:

Dedecms <= v5.7.84 release

Vulnerability Details:

This vulnerability allows remote attackers to bypass authentication on affected installations of Dedecms. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the GetCookie function. The issue results from a loose comparison check when verifying incoming authenticated requests. An attacker can leverage this vulnerability to bypass authentication on the system as a member user.

Vendor Response:

Dedecms has not issued an update to correct this vulnerability.

Disclosure Timeline:

Proof of Concept:



This vulnerability was discovered by Steven Seeley of Qihoo 360 Vulcan Team