CVE-2018-14910

Name of the Vulnerable Software and Affected Versions SeaCMS version 6.61

Description The issue allows for remote code execution by inserting PHP code into an allowed IP address, which is then executed when visiting specific endpoints, such as /admin/admin ip.php or /adm1n/admin ip.php, and also /data/admin/ip.php. This can also be exploited through Cross-Site Request Forgery (CSRF).

Recommendations For SeaCMS version 6.61, as a temporary workaround, consider restricting access to the /admin/admin ip.php and /adm1n/admin ip.php endpoints, as well as /data/admin/ip.php, to minimize the risk of exploitation. Avoid using the ip variable in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.