SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded.
Security readout for executives and security teams
Plain-English summary
SeaCMS 11.1 can store attacker-supplied JavaScript in the admin settings page through the checkuser parameter. When a user later opens that page, the script runs in their browser. This can expose session data or alter page content, but the supplied sources do not show active exploitation.
Executive priority
Treat this as a focused remediation item, not a crisis. Prioritize internet-facing or broadly accessible SeaCMS admin panels, because stored XSS can turn routine administration into browser-side compromise.
Technical view
This is a stored cross-site scripting issue, CWE-79, in SeaCMS 11.1's checkuser parameter on the admin settings page. CVSS 3.1 is 6.1: network reachable, low complexity, user interaction required, changed scope, low confidentiality and integrity impact, no availability impact. Required application privileges are not clearly explained in the bundle.
Likely exposure
Exposure is most likely for organizations still running SeaCMS 11.1, especially where the administrative interface is reachable beyond trusted administrators. The structured affected-version data is incomplete, so confirm versions directly rather than relying only on CPE matching.
Exploitation context
A public ExploitDB reference exists, so defenders should assume proof-of-concept details are available. The CVE is not listed as KEV in the bundle, and no cited source states active exploitation.
Researcher notes
The evidence supports stored XSS in checkuser and a public exploit reference. Patch status is not provided in the bundle. Avoid claiming active exploitation, and note the affected-version metadata conflict between the title and structured version field.
Mitigation direction
Check SeaCMS vendor guidance for a fixed release or official workaround.
Upgrade if an official fixed version is available and compatible.
Restrict admin interface access to trusted networks or VPN users.
Remove unexpected script content from affected stored settings.
Review input validation and output encoding around admin settings fields.
Validation and detection
Inventory SeaCMS deployments and confirm exact running versions.
Identify whether any instance is SeaCMS 11.1.
Verify administrative pages are not publicly reachable.
Review checkuser setting values for unexpected HTML or script content.
Check web and admin audit logs for suspicious settings changes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.