CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16444
https://notcve.org/view.php?id=CVE-2018-16444
04 Sep 2018 — An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter. Se ha descubierto un problema en SeaCMS 6.61. adm1n/admin_reslib.php tiene Server-Side Request Forgery (SSRF) mediante el parámetro url. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms3.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16445
https://notcve.org/view.php?id=CVE-2018-16445
04 Sep 2018 — An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request. Se ha descubierto un problema en SeaCMS hasta la versión 6.61. Existe una inyección SQL mediante el parámetro tid en una petición adm1n/admin_topic_vod.php. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms4.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 2CVE-2018-16343
https://notcve.org/view.php?id=CVE-2018-16343
02 Sep 2018 — SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. SeaCMS 6.61 permite que atacantes remotos ejecuten código arbitrario debido a que parseIf() en include/main.class.php no bloquea el uso de $GLOBALS. • http://zhinianyuxin.postach.io/post/seacms-v6-61-latest-version-backend-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16348
https://notcve.org/view.php?id=CVE-2018-16348
02 Sep 2018 — SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name. SeaCMS V6.61 tiene Cross-Site Scripting (XSS) mediante el parámetro v_content en admin_video.php. Esto está relacionado con el nombre del sitio. • https://github.com/Jas0nwhy/vulnerability/blob/master/Seacmsxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2018-14910
https://notcve.org/view.php?id=CVE-2018-14910
03 Aug 2018 — SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. SeaCMS v6.61 permite la ejecución remota de código colocando código PHP en una dirección IP permitida (también conocida como ip) en /admin/admin_ip.php (también conocida como /adm1n/admin_ip.php). El código se ejecuta al visitar adm1n/admin_ip.php o d... • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms2.md • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14517
https://notcve.org/view.php?id=CVE-2018-14517
23 Jul 2018 — SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields. SeaCMS 6.61 tiene dos problemas de Cross-Site Scripting (XSS) en el archivo admin_config.php mediante ciertos campos de formulario. • https://github.com/SecWiki/CMS-Hunter/blob/master/seacms/seacms6.61/seacms661.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-14421
https://notcve.org/view.php?id=CVE-2018-14421
19 Jul 2018 — SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF. SeaCMS v6.61 permite la ejecución remota de código colocando código PHP en una dirección de imagen de película (v#95;pic) en /admin/admin_video.php (/backend/admin_video.php). El código se ejecuta al visitar /details/index.php. • http://hexo.imagemlt.xyz/post/seacms-backend-getshell/index.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13444
https://notcve.org/view.php?id=CVE-2018-13444
08 Jul 2018 — An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add an admin account via adm1n/admin_manager.php?action=save&id=2. Se ha descubierto un problema en SeaCMS 6.61. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta admin mediante adm1n/admin_manager.php? • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms1.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13445
https://notcve.org/view.php?id=CVE-2018-13445
08 Jul 2018 — An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add a user account via adm1n/admin_manager.php?action=add. Se ha descubierto un problema en SeaCMS 6.61. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta de usuario mediante adm1n/admin_manager.php? • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms1.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12431
https://notcve.org/view.php?id=CVE-2018-12431
14 Jun 2018 — SeaCMS V6.61 has XSS via the site name parameter on an adm1n/admin_config.php page (aka a system management page). SeaCMS V6.61 tiene Cross-Site Scripting (XSS) mediante el parámetro site name en una página adm1n/admin_config.php (también conocida como página de gestión del sistema). • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •