CVE-2025-15003
SQL Injection in SeaCMS admin_video.php Allows Remote Exploit
Publication date: 2025-12-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seacms | seacms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15003 is a critical SQL injection vulnerability in SeaCMS (up to version 13.3) located in the backend video management module, specifically in the file admin_video.php. The vulnerability arises because the code processes the e_id parameter (an array of video IDs) by directly concatenating its elements into SQL queries without proper sanitization or validation. Additionally, the backend disables SQL security checks, making the injection fully exploitable. This allows an attacker with valid backend administrator access to perform SQL injection attacks, including UNION-based and time-based blind injections, to extract sensitive data such as admin passwords, manipulate or delete video records, and escalate privileges. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full data extraction of sensitive information like admin passwords and user data, authentication bypass by obtaining admin credentials, data manipulation such as modifying or deleting video records, and privilege escalation allowing access to other admin accounts. The vulnerability compromises the confidentiality, integrity, and availability of the system, making it highly critical for affected SeaCMS installations. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the backend video management module of SeaCMS is vulnerable to SQL injection via the e_id parameter in admin_video.php. Since exploitation requires a valid backend admin session, detection can include monitoring POST requests to the admin_video.php endpoint with the e_id[] parameter. Time-based blind SQL injection can be tested by sending crafted payloads that cause measurable delays (e.g., using SLEEP(3)) in the response. Additionally, Google dorking with queries like 'inurl:admin_video.php' can help identify potentially vulnerable targets. Specific commands are not provided, but testing can involve sending POST requests with SQL injection payloads in e_id[] and measuring response delays or error messages. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing all elements of the e_id array before using them in SQL queries by applying intval() to each element and validating that the resulting array is not empty. This sanitization should be applied consistently to all affected actions (lockall, restoreall, delall) in admin_video.php. Additionally, re-enabling SQL injection protection by setting $dsql->safeCheck = true in the backend configuration can help. Restricting backend administrator access and monitoring for suspicious activity are also recommended until a proper patch or update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-15003 on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows full data extraction including admin passwords and user data, as well as data manipulation and privilege escalation, it could potentially lead to violations of data protection regulations by exposing sensitive personal data and compromising system integrity. No direct statements about compliance impact or regulatory consequences are provided. [1, 2, 3]