CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-44938
https://notcve.org/view.php?id=CVE-2022-44938
Weak reset token generation in SeedDMS v6.0.20 and v5.1.7 allows attackers to execute a full account takeover via a brute force attack. La generación débil de tokens de reinicio en SeedDMS v6.0.20 y v5.1.7 permite a los atacantes ejecutar una apropiación completa de la cuenta mediante un ataque de fuerza bruta. • https://pwnit.io/2022/11/23/weak-password-reset-token-leads-to-account-takeover-in-seeddms •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2022-28051
https://notcve.org/view.php?id=CVE-2022-28051
The "Add category" functionality inside the "Global Keywords" menu in "SeedDMS" version 6.0.18 and 5.1.25, is prone to stored XSS which allows an attacker to inject malicious javascript code. La funcionalidad "Add category" dentro del menú "Global Keywords" en "SeedDMS" versiones 6.0.18 y 5.1.25, es propensa a un ataque de tipo XSS almacenado que permite a un atacante inyectar código javascript malicioso • https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/blob/main/CVE-2022-28051/README.md https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVE-2022-28051 https://sourceforge.net/p/seeddms/code/ci/6fc17be5d95e8f00fbe5c124c4acd377fa2ce69d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-28478
https://notcve.org/view.php?id=CVE-2022-28478
SeedDMS 6.0.17 and 5.1.24 are vulnerable to Directory Traversal. The "Remove file" functionality inside the "Log files management" menu does not sanitize user input allowing attackers with admin privileges to delete arbitrary files on the remote system. SeedDMS versiones 6.0.17 y 5.1.24, son vulnerables a un Salto de Directorio. La funcionalidad "Remove file" dentro del menú "Log files management" no sanea la entrada del usuario, lo que permite a atacantes con privilegios de administrador eliminar archivos arbitrarios en el sistema remoto • https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVE-2022-28478 https://sourceforge.net/p/seeddms/code/ci/d68c922152e8a8060dd7fc3ebdd7af685e270e36 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-28479
https://notcve.org/view.php?id=CVE-2022-28479
SeedDMS versions 6.0.18 and 5.1.25 and below are vulnerable to stored XSS. An attacker with admin privileges can inject the payload inside the "Role management" menu and then trigger the payload by loading the "Users management" menu SeedDMS versiones 6.0.18 y 5.1.25 y anteriores, son vulnerables a un ataque de tipo XSS almacenado. Un atacante con privilegios de administrador puede inyectar la carga útil dentro del menú "Role management" y luego desencadenar la carga útil al cargar el menú "Users management" • https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVE-2022-28479 https://sourceforge.net/p/seeddms/code/ci/9e92524fdbd1e7c3e6771d669f140c62389ec375 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2020-23048
https://notcve.org/view.php?id=CVE-2020-23048
SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters. SeedDMS Content Management System versión v6.0.7, contiene una vulnerabilidad de tipo cross-site scripting (XSS) persistente en el componente AddEvent.php por medio de los parámetros name y comment • https://www.vulnerability-lab.com/get_content.php?id=2209 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •