SeaCMS SQL Injection Vulnerability in Cron Task Management Module

A SQL injection vulnerability has been identified in SeaCMS version 13.3.20250820, specifically within the admin panel's cron task management module, in the file admin_cron.php. The vulnerability arises from the manipulation of the resourcefrom and collectID parameters, allowing for remote exploitation. The root causes include direct SQL concatenation of unsanitized user input and insufficient input sanitization, with dhtmlspecialchars() only escaping HTML but not SQL. This vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to admin_cron.php with the action parameter set to addCron. Include the resourcefrom parameter with a crafted payload that exploits the SQL injection vulnerability, such as a time-based blind injection. Alternatively, the collectID parameter can be used to achieve the same effect, but this requires sending the request as multipart/form-data.