Seacms
by Seacms
CVEs (116)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16822 | Cri | 0.64 | 9.8 | 0.01 | Sep 21, 2018 | SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php order parameter. | ||
| CVE-2018-16445 | Cri | 0.64 | 9.8 | 0.01 | Sep 4, 2018 | An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request. | ||
| CVE-2018-16444 | Cri | 0.59 | 9.1 | 0.01 | Sep 4, 2018 | An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter. | ||
| CVE-2018-14910 | Hig | 0.57 | 8.8 | 0.01 | Aug 3, 2018 | SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. | ||
| CVE-2018-14421 | Hig | 0.57 | 8.8 | 0.01 | Jul 20, 2018 | SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF. | ||
| CVE-2018-13445 | Hig | 0.57 | 8.8 | 0.01 | Jul 8, 2018 | An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add a user account via adm1n/admin_manager.php?action=add. | ||
| CVE-2018-13444 | Hig | 0.57 | 8.8 | 0.01 | Jul 8, 2018 | An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add an admin account via adm1n/admin_manager.php?action=save&id=2. | ||
| CVE-2018-17365 | Hig | 0.49 | 7.5 | 0.02 | Sep 26, 2018 | SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter. | ||
| CVE-2018-16446 | Hig | 0.49 | 7.5 | 0.02 | Sep 4, 2018 | An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt. | ||
| CVE-2025-15002 | Hig | 0.47 | 7.3 | 0.00 | Dec 21, 2025 | A vulnerability has been found in SeaCMS up to 13.3. The affected element is an unknown function of the file js/player/dmplayer/dmku/class/mysqli.class.php. Such manipulation of the argument page/limit leads to sql injection. The attack can be executed remotely. The exploit has… | ||
| CVE-2018-16343 | Hig | 0.47 | 7.2 | 0.03 | Sep 2, 2018 | SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. | ||
| CVE-2017-17561 | Hig | 0.47 | 7.2 | 0.01 | Dec 12, 2017 | SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/admin_ping.php, which interacts with data/admin/ping.php. | ||
| CVE-2018-17321 | Med | 0.40 | 6.1 | 0.01 | Sep 22, 2018 | An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action. | ||
| CVE-2018-17062 | Med | 0.40 | 6.1 | 0.01 | Sep 16, 2018 | An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter. | ||
| CVE-2018-14517 | Med | 0.40 | 6.1 | 0.01 | Jul 23, 2018 | SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields. | ||
| CVE-2018-11583 | Med | 0.40 | 6.1 | 0.01 | May 31, 2018 | SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter. | ||
| CVE-2018-16821 | Med | 0.35 | 5.3 | 0.01 | Sep 21, 2018 | SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_template.php?path=../templets/../../ requests. | ||
| CVE-2025-15003 | Med | 0.31 | 4.7 | 0.00 | Dec 22, 2025 | A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing a manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public… | ||
| CVE-2025-11071 | Med | 0.31 | 4.7 | 0.00 | Sep 27, 2025 | A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be… | ||
| CVE-2025-10662 | Med | 0.31 | 4.7 | 0.00 | Sep 18, 2025 | A vulnerability has been found in SeaCMS up to 13.3. The impacted element is an unknown function of the file /admin_members.php?ac=editsave. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the… |
- risk 0.64cvss 9.8epss 0.01
SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php order parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request.
- risk 0.59cvss 9.1epss 0.01
An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter.
- risk 0.57cvss 8.8epss 0.01
SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.
- risk 0.57cvss 8.8epss 0.01
SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add a user account via adm1n/admin_manager.php?action=add.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add an admin account via adm1n/admin_manager.php?action=save&id=2.
- risk 0.49cvss 7.5epss 0.02
SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter.
- risk 0.49cvss 7.5epss 0.02
An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt.
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in SeaCMS up to 13.3. The affected element is an unknown function of the file js/player/dmplayer/dmku/class/mysqli.class.php. Such manipulation of the argument page/limit leads to sql injection. The attack can be executed remotely. The exploit has…
- risk 0.47cvss 7.2epss 0.03
SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS.
- risk 0.47cvss 7.2epss 0.01
SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/admin_ping.php, which interacts with data/admin/ping.php.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter.
- risk 0.40cvss 6.1epss 0.01
SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields.
- risk 0.40cvss 6.1epss 0.01
SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter.
- risk 0.35cvss 5.3epss 0.01
SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_template.php?path=../templets/../../ requests.
- risk 0.31cvss 4.7epss 0.00
A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing a manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public…
- risk 0.31cvss 4.7epss 0.00
A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be…
- risk 0.31cvss 4.7epss 0.00
A vulnerability has been found in SeaCMS up to 13.3. The impacted element is an unknown function of the file /admin_members.php?ac=editsave. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the…
Page 1 of 6