There is a remote code execution vulnerability in SeaCMS 12.9. The vulnerability is caused by phomebak.php writing some variable names passed in without filtering them before writing them into the php file. An authenticated attacker can exploit this vulnerability to execute arbitrary commands and obtain system permissions.
CVSS Score
8.8
EPSS Score
0.024
Published
2024-07-12
SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_weixin.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.
CVSS Score
8.8
EPSS Score
0.014
Published
2024-07-12
SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_smtp.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.
CVSS Score
8.8
EPSS Score
0.017
Published
2024-07-12
SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_config_mark.php directly splicing and writing the user input data into inc_photowatermark_config.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.
CVSS Score
8.8
EPSS Score
0.017
Published
2024-07-12
An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php.
CVSS Score
9.8
EPSS Score
0.026
Published
2024-07-05
SeaCMS v12.9 has an unauthorized SQL injection vulnerability. The vulnerability is caused by the SQL injection through the cid parameter at /js/player/dmplayer/dmku/index.php?ac=edit, which can cause sensitive database information to be leaked.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-07-05
A vulnerability was found in SeaCMS 12.9. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /js/player/dmplayer/dmku/?ac=edit. The manipulation of the argument cid with the input (select(0)from(select(sleep(10)))v) leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270007.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-06-30
SeaCMS 12.9 has a file deletion vulnerability via admin_template.php.
CVSS Score
9.1
EPSS Score
0.003
Published
2024-06-10
An issue was discovered in SeaCMS version 12.9, allows remote attackers to execute arbitrary code via admin notify.php.
CVSS Score
8.8
EPSS Score
0.019
Published
2024-04-04
SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php.
CVSS Score
9.8
EPSS Score
0.574
Published
2024-03-22