CVE-2024-42598

MEDIUM

SeaCMS 13.0 - Authenticated Remote Code Execution via admin_editplayer.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-42598. PoCs published by fushuling.

AI-analyzed exploit summary This document provides a technical analysis of CVE-2024-42598, a remote code execution vulnerability in SeaCMS 13.0. It details how authenticated attackers can bypass file extension restrictions in admin_editplayer.php to inject malicious code into template files, leading to arbitrary command execution.

Description

SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_editplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges.

Exploits (1)

gitee WRITEUP 1 stars
by fushuling · poc
https://gitee.com/fushuling/cve/blob/master/SeaCMS%20V13%20admin_editplayer.php%20code%20injection.md

This document provides a technical analysis of CVE-2024-42598, a remote code execution vulnerability in SeaCMS 13.0. It details how authenticated attackers can bypass file extension restrictions in admin_editplayer.php to inject malicious code into template files, leading to arbitrary command execution.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SeaCMS 13.0
Auth required
Prerequisites: Authenticated access to the admin panel · Ability to modify template files
devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.7
EPSS 0.0014
EPSS Percentile 34.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
seacms/seacms 13.0
Published Aug 20, 2024
Tracked Since Feb 18, 2026