CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19350
https://notcve.org/view.php?id=CVE-2018-19350
17 Nov 2018 — In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element. En SeaCMS v6.6.4, hay Cross-Site Scripting (XSS) persistente mediante el parámetro email en member.php?action=chgpwdsubmit durante un cambio de contraseña, tal y como queda demostrado con una URL data: en un elemento OBJECT. • https://github.com/Xmansec/seacms_vul/tree/master/XSS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19349
https://notcve.org/view.php?id=CVE-2018-19349
17 Nov 2018 — In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php. En SeaCMS v6.64, hay una inyección SQL mediante el parámetro topic en admin_makehtml.php debido a la gestión incorrecta de include/mkhtml.func.php. • https://github.com/Xmansec/seacms_vul/blob/master/SQL/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2018-17365
https://notcve.org/view.php?id=CVE-2018-17365
26 Sep 2018 — SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter. SeaCMS versión 6.64 y versión 7.2 permite a los atacantes remotos eliminar archivos arbitrarios mediante el parámetro filedir. • http://blog.51cto.com/13770310/2177226 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17321
https://notcve.org/view.php?id=CVE-2018-17321
22 Sep 2018 — An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action. Se ha descubierto un problema en SeaCMS 6.64. Existe Cross-Site Scripting (XSS) en admin_datarelate.php a través de los parámetros time o maxHit en una acción dorandomset. • https://secwk.blogspot.com/2018/09/seacms-664-xss-vulnerability_14.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-16822
https://notcve.org/view.php?id=CVE-2018-16822
21 Sep 2018 — SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php order parameter. SeaCMS 6.64 permite inyección SQL mediante el parámetro order en upload/admin/admin_video.php. • http://blog.51cto.com/13770310/2177214 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16821
https://notcve.org/view.php?id=CVE-2018-16821
21 Sep 2018 — SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_template.php?path=../templets/../../ requests. SeaCMS 6.64 permite el listado de directorios arbitrario mediante peticiones en upload/admin/admin_template.php?path=.. • http://blog.51cto.com/13770310/2177212 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17062
https://notcve.org/view.php?id=CVE-2018-17062
16 Sep 2018 — An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter. Se ha descubierto un problema en SeaCMS 6.64. Existe Cross-Site Scripting (XSS) en admin_video.php mediante los parámetros action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney y v_ispsd. • https://secwk.blogspot.com/2018/09/seacms-664-xss-vulnerability.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16446
https://notcve.org/view.php?id=CVE-2018-16446
04 Sep 2018 — An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt. Se ha descubierto un problema en SeaCMS hasta la versión 6.61. adm1n/admin_database.php permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro bakfiles. Esto puede permitir que el producto ... • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms5.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16444
https://notcve.org/view.php?id=CVE-2018-16444
04 Sep 2018 — An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter. Se ha descubierto un problema en SeaCMS 6.61. adm1n/admin_reslib.php tiene Server-Side Request Forgery (SSRF) mediante el parámetro url. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms3.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16445
https://notcve.org/view.php?id=CVE-2018-16445
04 Sep 2018 — An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request. Se ha descubierto un problema en SeaCMS hasta la versión 6.61. Existe una inyección SQL mediante el parámetro tid en una petición adm1n/admin_topic_vod.php. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms4.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •