CVE-2018-14421

Name of the Vulnerable Software and Affected Versions SeaCMS version 6.61

Description The issue allows for remote code execution by inserting PHP code into a movie picture address, also referred to as v pic, in the /admin/admin video.php or /backend/admin video.php endpoint. This inserted code is then executed when the /details/index.php page is visited. Additionally, this can be exploited through Cross-Site Request Forgery (CSRF).

Recommendations For SeaCMS version 6.61, consider restricting access to the /admin/admin video.php and /backend/admin video.php endpoints to prevent exploitation, and avoid using the v pic variable in these endpoints until a fix is available. As a temporary workaround, consider implementing CSRF protection measures to minimize the risk of exploitation.