CVE-2022-28478 — MEDIUM (6.5)

Vulnerability Description

SeedDMS 6.0.17 and 5.1.24 are vulnerable to Directory Traversal. The "Remove file" functionality inside the "Log files management" menu does not sanitize user input allowing attackers with admin privileges to delete arbitrary files on the remote system.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Seeddms	Seeddms	5.1.24

Related Weaknesses (CWE)

CWE-22

References

https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVEExploitPatchThird Party Advisory
https://sourceforge.net/p/seeddms/code/ci/d68c922152e8a8060dd7fc3ebdd7af685e270ePatchVendor Advisory
https://github.com/looCiprian/Responsible-Vulnerability-Disclosure/tree/main/CVEExploitPatchThird Party Advisory
https://sourceforge.net/p/seeddms/code/ci/d68c922152e8a8060dd7fc3ebdd7af685e270ePatchVendor Advisory

FAQ

What is CVE-2022-28478?

CVE-2022-28478 is a vulnerability with a CVSS score of 6.5 (MEDIUM). SeedDMS 6.0.17 and 5.1.24 are vulnerable to Directory Traversal. The "Remove file" functionality inside the "Log files management" menu does not sanitize user input allowing attackers with admin privi...

How severe is CVE-2022-28478?

CVE-2022-28478 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-28478?

Check the references section above for vendor advisories and patch information. Affected products include: Seeddms Seeddms.