SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php.
An attacker sends a crafted HTTP request to the admin_manager.php component, injecting malicious SQL code into a query executed by the application. The lack of proper validation or parameterization of input data allows manipulation of database query logic. The attack vector is network-based, requires no authentication or user interaction.
An attacker can obtain unauthorized access to sensitive data, modify or delete database content, and in certain server configurations potentially execute system commands — which may lead to complete server takeover.
Apply patches available from the vendor according to references. As a temporary measure, it is recommended to restrict access to the admin panel (admin_manager.php) exclusively to trusted IP addresses and use a web application firewall (WAF) blocking SQL injection attempts.
SeaCMS version 13.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSeacms
APPSeacms13.3
Related vulnerabilities
SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php
SQL injection w SeaCMS v13.3 — komponent admin_topic.php
RCE w SeaCMS v13.3 przez komponent phomebak.php
SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php
SQL Injection w SeaCMS — podatny plik admin_pay.php