CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44919
https://notcve.org/view.php?id=CVE-2024-44919
29 Aug 2024 — A cross-site scripting (XSS) vulnerability in the component admin_ads.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ad description parameter. • https://github.com/nn0nkey/nn0nkey/blob/main/second.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41444
https://notcve.org/view.php?id=CVE-2024-41444
26 Aug 2024 — SeaCMS v12.9 has a SQL injection vulnerability in the key parameter of /js/player/dmplayer/dmku/index.php?ac=so. • https://gist.github.com/looppppp/fa328c81ce19c1097d10f95c763d0d50 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-42599
https://notcve.org/view.php?id=CVE-2024-42599
22 Aug 2024 — SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_files.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges. • https://gitee.com/fushuling/cve/blob/master/CVE-2024-42599.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-42598
https://notcve.org/view.php?id=CVE-2024-42598
20 Aug 2024 — SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_editplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges. • https://gitee.com/fushuling/cve/blob/master/SeaCMS%20V13%20admin_editplayer.php%20code%20injection.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7163 – SeaCMS index.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-7163
28 Jul 2024 — A vulnerability, which was classified as problematic, was found in SeaCMS 12.9. This affects an unknown part of the file /js/player/dmplayer/player/index.php. The manipulation of the argument color/vid/url leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/HuaQiPro/seacms/issues/28 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7162 – SeaCMS cross site scripting
https://notcve.org/view.php?id=CVE-2024-7162
28 Jul 2024 — A vulnerability, which was classified as problematic, has been found in SeaCMS 12.9/13.0. Affected by this issue is some unknown functionality of the file js/player/dmplayer/admin/post.php?act=setting. The manipulation of the argument yzm leads to cross site scripting. The attack may be launched remotely. • https://github.com/HuaQiPro/seacms/issues/29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7161 – SeaCMS Password Change cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-7161
28 Jul 2024 — A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. • https://github.com/HuaQiPro/seacms/issues/30 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39036
https://notcve.org/view.php?id=CVE-2024-39036
16 Jul 2024 — SeaCMS v12.9 is vulnerable to Arbitrary File Read via admin_safe.php. SeaCMS v12.9 es vulnerable a la lectura arbitraria de archivos a través de admin_safe.php. • https://github.com/seacms-net/CMS/issues/18 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2024-40518
https://notcve.org/view.php?id=CVE-2024-40518
12 Jul 2024 — SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_weixin.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions. SeaCMS 12.9 tiene una vulnerabilidad de ejecución remota de código. La vulnerabilidad es causada porque admin_weixin.php empalma y escribe directamente los datos de entrada del usuario en weixi... • https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_weixin.php%20code%20injection.md • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 4%CPEs: 1EXPL: 1CVE-2024-40519
https://notcve.org/view.php?id=CVE-2024-40519
12 Jul 2024 — SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_smtp.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions. SeaCMS 12.9 tiene una vulnerabilidad de ejecución remota de código. La vulnerabilidad se debe a que admin_smtp.php empalma y escribe directamente los datos de entrada del usuario en weixin.php si... • https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_smtp.php%20code%20injection.md •