CVE-2022-28479

Published: Jun 6, 2022Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

SeedDMS versions 6.0.18 and 5.1.25 and below are vulnerable to stored XSS. An attacker with admin privileges can inject the payload inside the "Role management" menu and then trigger the payload by loading the "Users management" menu

Affected (2)

Products: Seeddms: Seeddms

Seeddms

1 product

Seeddms

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Seeddms Seeddms	Version 5.1.25
Seeddms Seeddms	Version 6.0.18

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVE-2022-28479

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://sourceforge.net/p/seeddms/code/ci/9e92524fdbd1e7c3e6771d669f140c62389ec375/

Source: cve@mitre.org

PatchVendor Advisory

https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVE-2022-28479

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://sourceforge.net/p/seeddms/code/ci/9e92524fdbd1e7c3e6771d669f140c62389ec375/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.