CVE-2014-2278
SeedDMS XSS / Traversal / Shell Upload
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the partitionIndex parameter and leveraging CVE-2014-2279.2 to access it via the directory specified by the fileId parameter.
Vulnerabilidad de subida de archivos sin restricción en op/op.AddFile2.php en SeedDMS (anteriormente LetoDMS y MyDMS) anterior a 4.3.4 permite a atacantes remotos ejecutar código arbitrario al subir un archivo con una extensión ejecutable especificada en el parámetro partitionIndex y aprovechándose de CVE-2014-2279.2 para acceder a través de un directorio especificado en el parámetro field.
SeedDMS versions prior to 4.3.4 suffer from cross site scripting, remote shell upload, and path traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-03-04 CVE Reserved
- 2014-03-14 CVE Published
- 2014-03-14 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html | Mailing List | |
http://osvdb.org/show/osvdb/104465 | Vdb Entry | |
http://packetstormsecurity.com/files/125726 | X_refsource_misc |
|
http://secunia.com/advisories/57475 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://packetstorm.news/files/id/125726 | 2014-03-14 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG | 2014-10-23 |