SeaCMS 6.61 allows remote malicious users to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS.
seacms seacms 6.61