CRITICAL🇵🇱 Wersja polska

CVE-2025-44072

CVSS 9.8v3.1pub. 2025-05-05upd. 2025-05-13

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php.

🤖 AI Analysis
How it works

An attacker sends a crafted HTTP request to the admin_manager.php component, injecting malicious SQL code into a query executed by the application. The lack of proper validation or parameterization of input data allows manipulation of database query logic. The attack vector is network-based, requires no authentication or user interaction.

Impact

An attacker can obtain unauthorized access to sensitive data, modify or delete database content, and in certain server configurations potentially execute system commands — which may lead to complete server takeover.

Mitigation & patch

Apply patches available from the vendor according to references. As a temporary measure, it is recommended to restrict access to the admin panel (admin_manager.php) exclusively to trusted IP addresses and use a web application firewall (WAF) blocking SQL injection attempts.

Who is affected

SeaCMS version 13.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Seacms

    APP
    Seacms
    13.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-44073CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php

CVE-2025-44074CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_topic.php

CVE-2025-44071CRITICAL9.8PL ✓ten sam produkt

RCE w SeaCMS v13.3 przez komponent phomebak.php

CVE-2025-29647CRITICAL9.8PL ✓ten sam produkt

SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php

CVE-2025-25520CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SeaCMS — podatny plik admin_pay.php