CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16445
https://notcve.org/view.php?id=CVE-2018-16445
An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request. Se ha descubierto un problema en SeaCMS hasta la versión 6.61. Existe una inyección SQL mediante el parámetro tid en una petición adm1n/admin_topic_vod.php. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms4.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16444
https://notcve.org/view.php?id=CVE-2018-16444
An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter. Se ha descubierto un problema en SeaCMS 6.61. adm1n/admin_reslib.php tiene Server-Side Request Forgery (SSRF) mediante el parámetro url. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms3.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16446
https://notcve.org/view.php?id=CVE-2018-16446
An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt. Se ha descubierto un problema en SeaCMS hasta la versión 6.61. adm1n/admin_database.php permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro bakfiles. Esto puede permitir que el producto se reinstale eliminando install_lock.txt. • https://github.com/MichaelWayneLIU/seacms/blob/master/seacms5.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 2CVE-2018-16343
https://notcve.org/view.php?id=CVE-2018-16343
SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. SeaCMS 6.61 permite que atacantes remotos ejecuten código arbitrario debido a que parseIf() en include/main.class.php no bloquea el uso de $GLOBALS. • http://zhinianyuxin.postach.io/post/seacms-v6-61-latest-version-backend-rce https://github.com/cumtxujiabin/CmsPoc/blob/master/Seacms_v6.61_backend_RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16348
https://notcve.org/view.php?id=CVE-2018-16348
SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name. SeaCMS V6.61 tiene Cross-Site Scripting (XSS) mediante el parámetro v_content en admin_video.php. Esto está relacionado con el nombre del sitio. • https://github.com/Jas0nwhy/vulnerability/blob/master/Seacmsxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •