SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request.
The vulnerability results from unsafe input data processing in the phomebak.php component, classified as CWE-94 (improper control of code generation). An attacker can send a specially crafted HTTP request to the vulnerable endpoint, which leads to arbitrary code execution on the server side. The attack vector is network-based, requires no privileges or user interaction, making the vulnerability particularly dangerous.
Successful exploitation of the vulnerability allows an attacker to gain full control over the server — read, modify and delete data, install malicious software, and potentially perform lateral movement within the internal network.
Apply patches available from the vendor according to the references. Until the update is applied, it is recommended to restrict access to the vulnerable phomebak.php component at the firewall or web server level and monitor suspicious HTTP requests directed to this endpoint.
SeaCMS version 13.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSeacms
APPSeacms13.3
Related vulnerabilities
SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php
SQL injection w SeaCMS v13.3 — komponent admin_topic.php
SQL injection w SeaCMS v13.3 — komponent admin_manager.php
SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php
SQL Injection w SeaCMS — podatny plik admin_pay.php