Primary

Context

SeaCMS Arbitrary File Read Vulnerability in admin_safe.php

Vulnerability

An arbitrary file read vulnerability has been identified in SeaCMS version 13.3. The issue arises in the admin_safe.php file, where the file_get_contents function is used without adequate validation of input parameters. This flaw allows attackers to read arbitrary files from the server.

Impact

Exploitation of this vulnerability allows for arbitrary file read, which could lead to the disclosure of sensitive information, such as password files or application configuration files.

Reproduction

To reproduce this vulnerability, send a request to admin_safe.php with the action parameter set to 'download' and the file parameter set to the path of the file to be read. The server will respond with the contents of the specified file, bypassing any intended access controls.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SeaCMS Arbitrary File Read Vulnerability in admin_safe.php

Vulnerability

Impact

Reproduction

Affected Products

SeaCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating