CVE-2024-29275 in SeaCMS
Summary
by MITRE • 03/22/2024
SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/29/2025
The SQL injection vulnerability identified as CVE-2024-29275 affects SeaCMS version 12.9 and represents a critical security flaw that enables remote unauthenticated attackers to execute arbitrary code and extract sensitive information from the affected system. This vulnerability specifically manifests through the id parameter in the class.php file, which serves as the primary attack vector for exploiting the underlying database communication layer. The flaw stems from inadequate input validation and sanitization mechanisms that fail to properly filter malicious SQL commands before processing them within the database query execution context.
The technical implementation of this vulnerability occurs when user-supplied input from the id parameter is directly incorporated into SQL query construction without proper parameterization or escaping mechanisms. This allows attackers to manipulate the intended query structure by injecting malicious SQL payloads that can alter the logical flow of database operations. The vulnerability is classified under CWE-89 which specifically addresses SQL injection flaws where untrusted data is used to construct SQL commands without proper validation or sanitization. The attack surface is particularly concerning as it requires no authentication credentials, making it accessible to any remote attacker who can reach the vulnerable web application.
Operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise and unauthorized access to sensitive information. Attackers can leverage this vulnerability to extract database contents including user credentials, personal information, system configurations, and potentially gain deeper insights into the application architecture. The arbitrary code execution capability allows malicious actors to perform actions such as creating new administrative accounts, modifying existing data, or even establishing persistent backdoors within the compromised system. This vulnerability directly violates the principle of least privilege and can lead to full system compromise, particularly if the database user has elevated permissions that allow for file system access or additional administrative operations.
Mitigation strategies for CVE-2024-29275 should prioritize immediate patching of the affected SeaCMS version 12.9 to the latest available release that contains proper input validation and parameterized query implementations. Organizations should implement proper input sanitization techniques including parameterized queries, stored procedures, and comprehensive input validation that rejects or escapes potentially malicious SQL characters. Network-level protections such as web application firewalls and intrusion detection systems can provide additional layers of defense by monitoring for suspicious SQL injection patterns. The vulnerability's classification aligns with ATT&CK technique T1190 which covers exploitation of remote services, and T1078 which addresses valid accounts usage, as the attack can potentially escalate privileges and maintain persistence within the compromised environment. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other applications and ensure that input validation mechanisms remain robust against evolving attack vectors.