SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php.
The vulnerability consists of the lack of proper validation and sanitization of input data passed to the admin_comment_news.php component. An attacker can inject malicious SQL code into queries directed to the application's database. Due to the network vector (AV:N), no authentication requirement (PR:N) and no user interaction (UI:N), the exploit can be executed completely remotely.
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and under favorable conditions take full control of the backend system — which corresponds to high impact on confidentiality, integrity and availability (C:H/I:H/A:H).
Patches available from the manufacturer should be applied in accordance with the references. Until the fix is implemented, it is recommended to restrict access to the administration panel (including admin_comment_news.php) exclusively to trusted IP addresses at the firewall or web server level.
SeaCMS version 13.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSeacms
APPSeacms13.3
Related vulnerabilities
RCE w SeaCMS v13.3 przez komponent phomebak.php
SQL injection w SeaCMS v13.3 — komponent admin_topic.php
SQL injection w SeaCMS v13.3 — komponent admin_manager.php
SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php
SQL Injection w SeaCMS — podatny plik admin_pay.php