FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-7161

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Jul 28, 2024 / Updated: 3mo ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability classified as problematic was found in SeaCMS 13.0. The issue affects an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Impact

This vulnerability allows an attacker to perform cross-site request forgery (CSRF) attacks. CSRF attacks can force end users to execute unwanted actions on a web application in which they're currently authenticated. This could lead to unauthorized actions being performed on behalf of the victim, such as changing passwords, making unauthorized transactions, or modifying user data. The impact is somewhat mitigated by the fact that user interaction is required for the attack to succeed, and the integrity impact is classified as low. There is no direct impact on confidentiality or availability of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including t.me.

Patch

The vulnerability information does not explicitly mention whether a patch is available. However, given that the vulnerability is in SeaCMS version 13.0, it's recommended to check for any newer versions or security updates from the SeaCMS developers that might address this issue.

Mitigation

1. Update SeaCMS to the latest version if a patch is available. 2. Implement CSRF tokens in all forms and state-changing requests to prevent CSRF attacks. 3. Use the SameSite cookie attribute to limit the scope of your cookies. 4. Implement proper Content Security Policy (CSP) headers. 5. Educate users about the risks of clicking on untrusted links, especially when they are logged into the SeaCMS system. 6. Consider implementing additional authentication steps for sensitive actions, such as changing passwords. 7. Regularly review and test the security of the password change functionality.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7161. See article

Jul 28, 2024 at 3:37 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 28, 2024 at 3:37 PM
CVE Assignment

NVD published the first details for CVE-2024-7161

Jul 28, 2024 at 4:15 PM
CVSS

A CVSS base score of 4.3 has been assigned.

Jul 28, 2024 at 4:20 PM / nvd
Exploitation in the Wild

Attacks in the wild have been reported by CTI Feeds - Cybercrime on Telegram. See article

Jul 28, 2024 at 6:07 PM / CTI Feeds - Cybercrime on Telegram
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.1%)

Jul 29, 2024 at 9:52 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Sep 19, 2024 at 2:30 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 19, 2024 at 5:11 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 28, 2024 at 9:07 PM / nvd
Static CVE Timeline Graph

Affected Systems

Seacms/seacms
+null more

Exploits

https://github.com/HuaQiPro/seacms/issues/30
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Update Sat Sep 28 14:32:32 UTC 2024
Recent Commits to cve:main / 52d
Update Sat Sep 28 14:32:32 UTC 2024
CVE-2024-7161 Exploit
inTheWild.io Exploits / 2mo
CVE Id : CVE-2024-7161 Published Date: 2024-09-19T14:26:00+00:00 A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272575. inTheWild added a link to an exploit: https://github.com/HuaQiPro/seacms/issues/30
Update Thu Aug 29 14:41:49 UTC 2024
Recent Commits to cve:main / 2mo
Update Thu Aug 29 14:41:49 UTC 2024
CVE-2024-7161
Updated CVEs from Tenable / 3mo
Medium Severity Description A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272575. Read more at https://www.tenable.com/cve/CVE-2024-7161
NA - CVE-2024-7161 - A vulnerability classified as problematic was...
Security-Database Alerts Monitor : Last 100 Alerts / 3mo
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. The associated identifier of this vulnerability is VDB-272575.
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

CVSS 6.5(29816)CWE-352(6421)Seacms(75)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial