Seeddms 5.1.22 Exploit Page

The following SeedDMS versions are affected:

The most critical vulnerability affecting SeedDMS 5.1.x versions (similar to the logic in CVE-2019-12744 ) lies in the "Add Document" workflow. The application fails to restrict file extensions globally or properly sanitize user-supplied data upon document creation.

When an administrator reviews the system logs or event history, this payload executes silently. The script extracts the admin’s session cookie and transmits it to the attacker's server, resulting in immediate . 2. File Upload Restrictions & The RCE Threat Landscape

The server executes the whoami command and returns the system user identity (e.g., www-data ), confirming full remote code execution. Remediation and Mitigation Strategies

The attacker logs into the SeedDMS dashboard. This exploit requires at least a low-privileged user account, which can be obtained via phishing, credential stuffing, or default configurations. 2. Malicious File Upload

By browsing directly to the uploaded file path, the attacker triggers the execution of the PHP script on the server side. This can result in a full interactive shell, giving the adversary control over the hosting server. Examples of this pattern within the 5.1.x tree include CVE-2019-12744 (affecting versions prior to 5.1.11) and CVE-2018-12940 . 2. Stored Cross-Site Scripting (XSS) Authenticated Remote Code Execution in SeedDMS v6.0.32 The following SeedDMS versions are affected: The most

$extraPath = '"; system($_GET["cmd"]); // ';

If your currently resides inside or outside the web application root

A manual payload (time-based):

The core of the exploit lies in an flaw (CWE-434). In versions prior to 5.1.11—and persisting in specific configurations of subsequent versions like 5.1.22—the application fails to properly validate the file extensions or contents of documents uploaded to the system. Attackers can exploit this by:

Last updated: 2025 – Exploit remains viable for unpatched 5.1.22 instances.

The attacker logs into the SeedDMS dashboard using compromised, weak, or default credentials. Since the vulnerability requires document upload privileges, a standard user account is usually enough to initiate the attack. 2. Crafting the Payload The script extracts the admin’s session cookie and

SeedDMS is a popular open-source document management system, frequently deployed by small to medium-sized enterprises for its simplicity and robust feature set. However, version —released in early 2021—contains critical security flaws that have since become prime targets for penetration testers and malicious actors alike.

Once an initial "reverse shell" was obtained via the RCE, testers were able to escalate their privileges to by leveraging found credentials and insecure permissions on the host server. Cross-Site Request Forgery (CSRF):