SeaCMS SQL Injection Vulnerability in admin_link.php

A critical SQL injection vulnerability has been identified in SeaCMS versions prior to 13.3. The issue arises in the file admin_link.php, specifically when the action parameter 'delall' is used. The vulnerability is triggered by manipulating the 'e_id' argument, allowing for remote exploitation. This SQL injection could potentially be used to read or modify database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the SeaCMS application and navigate to the admin_link.php file. Once there, set the action parameter to 'delall' and manipulate the 'e_id' parameter to inject SQL commands. After sending the request, the injected SQL will be executed, demonstrating the vulnerability.