SeedDMS versions 6.0.18 and 5.1.25 are prone to path traversal during delete operation. The "Remove file" functionality inside the "Log files management" menu does not sanitize user input allowing attackers to delete arbitrary files on the remote system.
Vulnerable code
Injecting payload
File system view before and after the exploit
Sanitize user input using "basename" php function
https://sourceforge.net/p/seeddms/code/ci/d68c922152e8a8060dd7fc3ebdd7af685e270e36/
- [26/03/2022] Vulnerability evidence sent to the vendor
- [26/03/2022] Vulnerability confirmed by the vendor
- [26/03/2022] Vulnerability fixed by the vendor
Thanks to the main developer of SeedDMS, Uwe Steinmann, that immediately acknowledged the vulnerability and fixed it.