The application allows users to upload documents. If the validation process fails to restrict file types (e.g., allowing .php files), an attacker can upload a web shell.
The server executes the code inside the web shell with the permissions of the www-data or Apache user.
SeedDMS stores uploaded files in a specific directory structure. If the web server configuration allows the execution of PHP scripts within the data directory, the attacker can trigger the payload by navigating directly to the file path:
GET /seeddms51/op/op.RemoveDocument.php?documentid=1 AND (SELECT 1234 FROM (SELECT(SLEEP(5)))a) HTTP/1.1 Host: target seeddms 5.1.22 exploit
Check your /data/ folder for unexpected PHP files. In a standard setup, this folder should only contain intended document types (PDFs, DOCX, etc.).
– SeedDMS 5.1.23 and later patch both issues. Official fix: https://sourceforge.net/p/seeddms/code/HEAD/tree/branches/stable5.1.x/
The most severe vulnerabilities in SeedDMS allow attackers to execute arbitrary commands on the server. The application allows users to upload documents
Valid user credentials (even low-privileged accounts) and access to the document upload feature.
Once the shell's URL is confirmed:
: By appending commands to the URL (like ?cmd=cat /etc/passwd ), the attacker executes code on the server, effectively bypassing all intended document management security. The Evolution of the Threat SeedDMS stores uploaded files in a specific directory
GET /seeddms/data/1000/1/1.php?cmd=whoami HTTP/1.1 Host: target-vulnerable-dms.com Use code with caution.
script, which could trick an administrator into performing arbitrary actions. Exploit-DB Vulnerability Summary Vulnerability Type Primary Impact Authenticated RCE Full System Compromise Database Access Information Theft / Credential Leak Administrative Action Bypass Medium Risk
The CVSS score is , with the attack vector being "Network" and requiring only low-privileged access.
CVE-2022-44938 describes this weakness, noting that attackers can systematically guess valid reset tokens and take over user accounts, including administrative ones.