CVE-2018-16446
https://notcve.org/view.php?id=CVE-2018-16446
An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt. Se ha descubierto un problema en SeaCMS hasta la versión 6.61. adm1n/admin_database.php permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro bakfiles. Esto puede permitir que el producto se reinstale eliminando install_lock.txt. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms5.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-16343
https://notcve.org/view.php?id=CVE-2018-16343
SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. SeaCMS 6.61 permite que atacantes remotos ejecuten código arbitrario debido a que parseIf() en include/main.class.php no bloquea el uso de $GLOBALS. • http://zhinianyuxin.postach.io/post/seacms-v6-61-latest-version-backend-rce https://github.com/cumtxujiabin/CmsPoc/blob/master/Seacms_v6.61_backend_RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2018-16348
https://notcve.org/view.php?id=CVE-2018-16348
SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name. SeaCMS V6.61 tiene Cross-Site Scripting (XSS) mediante el parámetro v_content en admin_video.php. Esto está relacionado con el nombre del sitio. • https://github.com/Jas0nwhy/vulnerability/blob/master/Seacmsxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-14910
https://notcve.org/view.php?id=CVE-2018-14910
SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. SeaCMS v6.61 permite la ejecución remota de código colocando código PHP en una dirección IP permitida (también conocida como ip) en /admin/admin_ip.php (también conocida como /adm1n/admin_ip.php). El código se ejecuta al visitar adm1n/admin_ip.php o data/admin/ip.php. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms2.md • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-14517
https://notcve.org/view.php?id=CVE-2018-14517
SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields. SeaCMS 6.61 tiene dos problemas de Cross-Site Scripting (XSS) en el archivo admin_config.php mediante ciertos campos de formulario. • https://github.com/SecWiki/CMS-Hunter/blob/master/seacms/seacms6.61/seacms661.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •