We followed responsible disclosure guidelines and notified the SeedDMS development team about the vulnerability. A patch has been released in SeedDMS version 5.1.23.
An attacker with authenticated access (e.g., as a user with write permissions) can upload a PHP web shell disguised as a document. seeddms 5.1.22 exploit
Ensure that the user account running the web server (e.g., www-data ) has the minimum permissions necessary. It should never have root access to the system. Final Thoughts seeddms 5.1.22 exploit
Risks where an attacker can force an authenticated user to perform unwanted actions. How to Protect Your System seeddms 5.1.22 exploit
The Primary Vulnerability: Authenticated Remote Code Execution (RCE)
Security researchers from sites like Exploit-DB have documented a simple 4-step process attackers use: