CVE-2024-44683 – Seacms v13 contains a cross-site scripting vuln... (How to Fix)

Q: What is the severity of CVE-2024-44683?

CVE-2024-44683 has a CVSS score of 6.1 (MEDIUM). Seacms v13 contains a cross-site scripting vulnerability in admin-video.php that allows attackers to inject malicious scripts into web pages viewed by administrators. This affects administrators of Seacms installations who access the vulnerable admin interface. Successful exploitation could lead to session hijacking or unauthorized administrative actions.

📋 TL;DR

Seacms v13 contains a cross-site scripting vulnerability in admin-video.php that allows attackers to inject malicious scripts into web pages viewed by administrators. This affects administrators of Seacms installations who access the vulnerable admin interface. Successful exploitation could lead to session hijacking or unauthorized administrative actions.

💻 Affected Systems

Products:

Seacms

Versions: v13

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with admin-video.php accessible and administrative interface enabled.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control over the Seacms installation, potentially leading to complete system compromise, data theft, or website defacement.

🟠

Likely Case

Attacker steals administrator session cookies, gains unauthorized access to the admin panel, and performs limited malicious actions.

🟢

If Mitigated

Attack is blocked by proper input validation, output encoding, or web application firewall rules.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator interaction with malicious payload, but XSS payloads are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and output encoding in admin-video.php to sanitize user input.

Edit admin-video.php to add htmlspecialchars() or similar sanitization functions around user-controlled variables

Content Security Policy

all

Implement a strict Content Security Policy header to prevent execution of injected scripts.

Add header: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Restrict access to admin-video.php using IP whitelisting or authentication requirements
Implement web application firewall rules to block XSS payload patterns

🔍 How to Verify

Check if Vulnerable:

Test admin-video.php with XSS payloads like <script>alert('XSS')</script> in vulnerable parameters

Check Version:

Check Seacms version in configuration files or admin panel

Verify Fix Applied:

Verify that XSS payloads are properly sanitized and do not execute in browser

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in admin-video.php requests
Multiple failed login attempts followed by successful admin access

Network Indicators:

HTTP requests containing script tags or JavaScript in admin-video.php parameters

SIEM Query:

source="web_logs" AND uri="*admin-video.php*" AND (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2024-44683

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 30, 2024

Last Updated: March 20, 2025

🔗 References

https://github.com/147536951/Qianyi/blob/main/Seacms.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44683, you might also want to check these: