CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46640
https://notcve.org/view.php?id=CVE-2024-46640
20 Sep 2024 — SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by writing to the file through the MySQL slow query method. • https://gitee.com/zheng_botong/CVE-2024-46640 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44721
https://notcve.org/view.php?id=CVE-2024-44721
09 Sep 2024 — SeaCMS v13.1 was discovered to a Server-Side Request Forgery (SSRF) via the url parameter at /admin_reslib.php. • https://github.com/seacms-net/CMS/issues/23 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44720
https://notcve.org/view.php?id=CVE-2024-44720
09 Sep 2024 — SeaCMS v13.1 was discovered to an arbitrary file read vulnerability via the component admin_safe.php. • https://github.com/seacms-net/CMS/issues/22 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44920
https://notcve.org/view.php?id=CVE-2024-44920
03 Sep 2024 — A cross-site scripting (XSS) vulnerability in the component admin_collect_news.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the siteurl parameter. • https://github.com/nn0nkey/nn0nkey/blob/main/CVE-2024-44920.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44921
https://notcve.org/view.php?id=CVE-2024-44921
03 Sep 2024 — SeaCMS v12.9 was discovered to contain a SQL injection vulnerability via the id parameter at /dmplayer/dmku/index.php?ac=del. • https://github.com/nn0nkey/nn0nkey/blob/main/CVE-2024-44921.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44683
https://notcve.org/view.php?id=CVE-2024-44683
30 Aug 2024 — Seacms v13 is vulnerable to Cross Site Scripting (XSS) via admin-video.php. • https://github.com/147536951/Qianyi/blob/main/Seacms.md •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44918
https://notcve.org/view.php?id=CVE-2024-44918
30 Aug 2024 — A cross-site scripting (XSS) vulnerability in the component admin_datarelate.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. • https://github.com/nn0nkey/nn0nkey/blob/main/CVE-2024-44918.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44916
https://notcve.org/view.php?id=CVE-2024-44916
30 Aug 2024 — Vulnerability in admin_ip.php in Seacms v13.1, when action=set, allows attackers to control IP parameters that are written to the data/admin/ip.php file and could result in arbitrary command execution. • http://seacms.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44919
https://notcve.org/view.php?id=CVE-2024-44919
29 Aug 2024 — A cross-site scripting (XSS) vulnerability in the component admin_ads.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ad description parameter. • https://github.com/nn0nkey/nn0nkey/blob/main/second.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41444
https://notcve.org/view.php?id=CVE-2024-41444
26 Aug 2024 — SeaCMS v12.9 has a SQL injection vulnerability in the key parameter of /js/player/dmplayer/dmku/index.php?ac=so. • https://gist.github.com/looppppp/fa328c81ce19c1097d10f95c763d0d50 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •