CVE-2018-14421

EUVD-2018-6338
SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
seacmsseacms
6.61
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://hexo.imagemlt.xyz/post/seacms-backend-getshell/index.html
http://hexo.imagemlt.xyz/post/seacms-backend-getshell/index.html