Submit #716084: SeaCMS 13.3 SQL Injectioninfo

TitleSeaCMS 13.3 SQL Injection
DescriptionMultiple SQL injection vulnerabilities exist in the SeaCMS backend video management module. The vulnerable code uses `implode()` to concatenate array elements directly into SQL queries without proper sanitization. **⚠️ CRITICAL: Unlike frontend vulnerabilities, the backend disables SQL security checks!** **Vulnerability Characteristics:** - **Authentication Required**: Backend administrator access needed - **Multiple Injection Points**: Lines 260, 293, 318, 326 - **WAF Protection**: ❌ DISABLED in backend (`$dsql->safeCheck = false`) - **Fully Exploitable**: ✅ YES - UNION and time-based blind injection confirmed
Source⚠️ https://note-hxlab.wetolink.com/share/aTI1wPFLm7FG
User
 yu22x (UID 34832)
Submission12/16/2025 02:24 (6 months ago)
Moderation12/21/2025 09:31 (5 days later)
StatusAccepted
VulDB entry337708 [SeaCMS up to 13.3 admin_video.php e_id sql injection]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!