CVE-2024-54879

CriticalPublic PoC

Published: 06 January 2025

Published

06 January 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0429 88.9th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.

Security Summary

CVE-2024-54879 is an incorrect access control vulnerability (CWE-281) affecting SeaCMS version 13.1. The issue stems from a logic flaw that enables exploitation to allow any user to recharge members indefinitely. Published on January 6, 2025, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting critical severity due to high impacts on confidentiality and integrity.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows indefinite recharging of member accounts, potentially enabling unauthorized resource accumulation, account manipulation, or further abuse within the SeaCMS platform.

References include the vendor site at http://seacms.com and a technical analysis at https://blog.csdn.net/weixin_46686336/article/details/144797242, which may provide additional details on detection or remediation.

Details

CWE(s): CWE-281

Affected Products

seacms

13.1

References

http://seacms.com
Product · cve@mitre.org
https://blog.csdn.net/weixin_46686336/article/details/144797242
Exploit, Third Party Advisory · cve@mitre.org