CVE-2018-12940

Published: Jul 31, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Unrestricted file upload vulnerability in "op/op.UploadChunks.php" in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the "qqfile" parameter. This allows an authenticated attacker to upload a malicious file containing PHP code to execute operating system commands to the web root of the application.

Affected (1)

Products: Seeddms: Seeddms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Seeddms Seeddms	Before 5.1.8

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOG

Source: cve@mitre.org

Third Party Advisory

https://www.contextis.com/resources/advisories/cve-2018-12940

Source: cve@mitre.org

Third Party Advisory

https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOG

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.contextis.com/resources/advisories/cve-2018-12940

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.