CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28726
https://notcve.org/view.php?id=CVE-2020-28726
Open redirect in SeedDMS 6.0.13 via the dropfolderfileform1 parameter to out/out.AddDocument.php. Un redireccionamiento abierto en SeedDMS versión 6.0.13, por medio del parámetro dropfolderfileform1 en el archivo out/out.AddDocument.php • https://sourceforge.net/p/seeddms/code/ci/877844cbba0749367b8ba0e4e0bde34a1dc838f1 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12932
https://notcve.org/view.php?id=CVE-2019-12932
A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly escaping the search result in the autocomplete search form placed in the header of out/out.Viewfolder.php. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) en SeedDMS versión 5.1.11 debido a que el resultado búsqueda no se ha realizado correctamente en el formulario de búsqueda de autocompletado ubicado en el encabezado de out / out.Viewfolder.php. • https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOG • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12745 – SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12745
out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site Scripting (XSS) via the name field. out / out.UsrMgr.php en SeedDMS antes de la versión 5.1.11 permite el almacenamiento de secuencias de comandos en sitios cruzados (XSS) a través del campo de nombre. SeedDMS versions prior to 5.1.11 suffers from persistent cross site scripting vulnerability in out.UsrMgr.php. • https://www.exploit-db.com/exploits/47023 http://packetstormsecurity.com/files/153382/SeedDMS-out.UsrMgr.php-Cross-Site-Scripting.html https://secfolks.blogspot.com/2019/06/exploit-for-cve-2019-12745-stored-xss.html https://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 4CVE-2019-12744 – Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2019-12744
SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940. SeedDMS antes de la versión 5.1.11 permite la ejecución remota de comandos (RCE) debido a la carga de archivos no validados de los scripts PHP, una vulnerabilidad diferente a la CVE-2018-12940. SeedDMS versions prior to 5.1.11 suffers from a remote shell upload vulnerability. • https://www.exploit-db.com/exploits/50062 https://www.exploit-db.com/exploits/47022 https://github.com/nobodyatall648/CVE-2019-12744 http://packetstormsecurity.com/files/153383/SeedDMS-Remote-Command-Execution.html http://packetstormsecurity.com/files/163283/Seeddms-5.1.10-Remote-Command-Execution.html https://secfolks.blogspot.com/2019/06/exploit-for-cve-2019-12744-remote.html https://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12801 – SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12801
out/out.GroupMgr.php in SeedDMS 5.1.11 has Stored XSS by making a new group with a JavaScript payload as the "GROUP" Name. out / out.GroupMgr.php en SeedDMS 5.1.11 ha almacenado XSS al crear un nuevo grupo con una carga útil de JavaScript como el nombre "GRUPO". SeedDMS versions prior to 5.1.11 suffers from persistent cross site scripting vulnerability in out.GroupMgr.php. • https://www.exploit-db.com/exploits/47024 http://packetstormsecurity.com/files/153384/SeedDMS-out.GroupMgr.php-Cross-Site-Scripting.html https://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •