CVE-2024-54880

CriticalPublic PoC

Published: 06 January 2025

Published

06 January 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0552 90.3th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to register accounts in bulk.

Security Summary

CVE-2024-54880 is an Incorrect Access Control vulnerability (CWE-281) affecting SeaCMS version 13.1. The issue stems from a logic flaw that permits any user to register accounts in bulk, bypassing intended restrictions. Published on 2025-01-06, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to high impacts on confidentiality and integrity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables bulk account creation, potentially allowing adversaries to overwhelm the system with fraudulent registrations and achieve significant unauthorized access or control.

Mitigation details can be found in advisories referenced at https://blog.csdn.net/weixin_46686336/article/details/144797063 and the vendor site https://www.seacms.net/.

Details

CWE(s): CWE-281

Affected Products

seacms

13.1

References

https://blog.csdn.net/weixin_46686336/article/details/144797063
Exploit, Third Party Advisory · cve@mitre.org
https://www.seacms.net/
Product · cve@mitre.org