SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_topic.php.
The SQL injection vulnerability (CWE-89) involves insufficient validation or filtering of input data passed to the admin_topic.php component. An attacker can inject malicious SQL code directly into a query executed by the application, manipulating data passed to the database. Due to the AV:N/AC:L/PR:N/UI:N vector, the attack can be performed remotely, without authentication and without user interaction.
An attacker can obtain unauthorized access to data stored in the database, as well as modify or delete data and potentially take control of the database system, which threatens the confidentiality, integrity, and availability of the application.
Patches available from the vendor should be applied in accordance with the references. It is also recommended to restrict access to the admin panel (admin_topic.php) exclusively to trusted IP addresses and implement firewall rules blocking unauthorized access to administrative resources.
SeaCMS version 13.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSeacms
APPSeacms13.3
Related vulnerabilities
SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php
RCE w SeaCMS v13.3 przez komponent phomebak.php
SQL injection w SeaCMS v13.3 — komponent admin_manager.php
SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php
SQL Injection w SeaCMS — podatny plik admin_pay.php