CRITICAL🇵🇱 Wersja polska

CVE-2025-25520

CVSS 9.8v3.1pub. 2025-02-25upd. 2025-03-28

Seacms <13.3 is vulnerable to SQL Injection in admin_pay.php.

🤖 AI Analysis
How it works

The vulnerability consists of insufficient validation and sanitization of input data passed to SQL queries in the admin_pay.php file. An attacker can inject malicious SQL code over the network without needing to have an account or user interaction. This allows manipulation of database queries in a manner not intended by the application.

Impact

An attacker can gain unauthorized access to sensitive data stored in the database, as well as modify or delete its contents. Under favorable conditions, complete takeover of the database system is also possible.

Mitigation & patch

SeaCMS should be updated to version 13.3 or newer. If immediate update is not possible, it is recommended to restrict access to the admin_pay.php file at the firewall or web server level and implement WAF rules blocking SQL Injection attempts.

Who is affected

SeaCMS in versions prior to 13.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Seacms

    APP
    Seacms
    ≤ 13.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-44073CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php

CVE-2025-44074CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_topic.php

CVE-2025-44072CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_manager.php

CVE-2025-44071CRITICAL9.8PL ✓ten sam produkt

RCE w SeaCMS v13.3 przez komponent phomebak.php

CVE-2025-29647CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php