CVE-2025-6864: SeaCMS 13.2 Vulnerable to Cross-Site Request Forgery (CSRF)

SeaCMS, a content management system, is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw could allow an attacker to trick a legitimate user into performing actions they did not intend, such as modifying administrative settings. This vulnerability affects versions up to 13.2.

Vulnerability Details

CVE ID: CVE-2025-6864
Description: SeaCMS up to version 13.2 is vulnerable to a CSRF attack via the /admin_type.php file. This allows a remote attacker to potentially perform actions on behalf of an authenticated user.
CVSS Score and Vector:
- CVSS v3.1: 4.3 (Medium) - AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CVSS v4.0: 5.3 (Medium) - AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
The CVSS score indicates a medium severity. The attack can be launched over the network (AV:N) with low complexity (AC:L). It requires user interaction (UI:R) but no privileges (PR:N). A successful attack can lead to a limited integrity impact (I:L), meaning the attacker can modify some data. The 'E:P' (Proof of Concept) indicates that exploit code is publicly available.
Exploit Requirements: An attacker needs to trick a logged-in administrator into clicking a malicious link or visiting a crafted website.
Affected Vendor, Product, Version: SeaCMS up to 13.2
CWE: CWE-352 - Cross-Site Request Forgery (CSRF).
CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. An attacker can trick the user's browser into sending forged requests to the server, potentially leading to unauthorized actions.

Timeline of Events

2025-06-29: Vulnerability reported.
2025-06-29: CVE ID assigned.
2025-06-29: Public disclosure of exploit.

Exploitability & Real-World Risk

CSRF vulnerabilities can be easily exploited if an attacker can successfully trick a user into clicking a malicious link. The impact can range from minor inconveniences to complete account compromise, depending on the privileges of the targeted user. In the context of SeaCMS, an attacker could potentially modify website settings, inject malicious code, or create new administrative accounts.

Recommendations

Patch: Upgrade to a patched version of SeaCMS if available.
CSRF Protection: Implement CSRF protection mechanisms, such as anti-CSRF tokens, in your SeaCMS installation.
User Awareness: Educate users about the risks of clicking suspicious links and visiting untrusted websites.
Input Validation: Ensure proper input validation and sanitization to prevent malicious code injection.

Technical Insight

The vulnerability resides in the /admin_type.php file, likely due to missing or inadequate CSRF protection. Without proper validation, an attacker can forge requests to this file, potentially modifying system configurations or performing administrative actions on behalf of a logged-in user.

Credit to Researcher(s)

The vulnerability was identified and reported by researchers at murongchengshu.

CVE-2025-6864: SeaCMS 13.2 Vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2025-6864: SeaCMS 13.2 Vulnerable to Cross-Site Request Forgery (CSRF)

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form