CVE-2024-40520

SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_config_mark.php directly splicing and writing the user input data into inc_photowatermark_config.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.
Configurations

Configuration 1 (hide)

cpe:2.3:a:seacms:seacms:12.9:*:*:*:*:*:*:*

History

21 Nov 2024, 09:31

Type Values Removed Values Added
References () https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_config_mark.php%20code%20injection.md - Exploit () https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_config_mark.php%20code%20injection.md - Exploit

01 Aug 2024, 13:57

Type Values Removed Values Added
Summary
  • (es) SeaCMS 12.9 tiene una vulnerabilidad de ejecución remota de código. La vulnerabilidad se debe a que admin_config_mark.php empalma y escribe directamente los datos de entrada del usuario en inc_photowatermark_config.php sin procesarlos, lo que permite a atacantes autenticados explotar la vulnerabilidad para ejecutar comandos arbitrarios y obtener permisos del sistema.
CWE CWE-20

12 Jul 2024, 18:44

Type Values Removed Values Added
First Time Seacms
Seacms seacms
CWE NVD-CWE-noinfo
References () https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_config_mark.php%20code%20injection.md - () https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_config_mark.php%20code%20injection.md - Exploit
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:seacms:seacms:12.9:*:*:*:*:*:*:*

12 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-12 16:15

Updated : 2024-11-21 09:31


NVD link : CVE-2024-40520

Mitre link : CVE-2024-40520

CVE.ORG link : CVE-2024-40520


JSON object : View

Products Affected

seacms

  • seacms
CWE
NVD-CWE-noinfo CWE-20

Improper Input Validation