CVE-2024-40522

There is a remote code execution vulnerability in SeaCMS 12.9. The vulnerability is caused by phomebak.php writing some variable names passed in without filtering them before writing them into the php file. An authenticated attacker can exploit this vulnerability to execute arbitrary commands and obtain system permissions.
Configurations

Configuration 1 (hide)

cpe:2.3:a:seacms:seacms:12.9:*:*:*:*:*:*:*

History

21 Nov 2024, 09:31

Type Values Removed Values Added
References () https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20phomebak.php%20code%20injection.md - Exploit () https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20phomebak.php%20code%20injection.md - Exploit

01 Aug 2024, 13:57

Type Values Removed Values Added
CWE CWE-94
Summary
  • (es) Existe una vulnerabilidad de ejecución remota de código en SeaCMS 12.9. La vulnerabilidad se debe a que phomebak.php escribe algunos nombres de variables pasados sin filtrarlos antes de escribirlos en el archivo php. Un atacante autenticado puede aprovechar esta vulnerabilidad para ejecutar comandos arbitrarios y obtener permisos del sistema.

12 Jul 2024, 18:44

Type Values Removed Values Added
References () https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20phomebak.php%20code%20injection.md - () https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20phomebak.php%20code%20injection.md - Exploit
CPE cpe:2.3:a:seacms:seacms:12.9:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CWE NVD-CWE-noinfo
First Time Seacms
Seacms seacms

12 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-12 16:15

Updated : 2024-11-21 09:31


NVD link : CVE-2024-40522

Mitre link : CVE-2024-40522

CVE.ORG link : CVE-2024-40522


JSON object : View

Products Affected

seacms

  • seacms
CWE
NVD-CWE-noinfo CWE-94

Improper Control of Generation of Code ('Code Injection')