SeedDMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SeedDMS version 6.0.29. This issue allows users or rogue administrators with the 'Add Category' permission to inject malicious XSS payloads into the category name field. Once a document is associated with the compromised category, the injected payload is saved on the server and displayed without adequate sanitization or encoding. Consequently, the XSS payload executes in the browser of any user who views the document.

Impact

Exploitation of this vulnerability allows for session hijacking, data exfiltration, phishing attacks, and remote code execution via JavaScript.

Reproduction

To reproduce this vulnerability, log in as a user with 'Add Category' permissions and navigate to the Admin Panel > Categories. Create a new category by injecting a script tag payload, such as an alert script, into the category name field. After saving the category, associate a document with it. When the document is viewed, the injected script executes in the browser.

Remediation

Users are advised to sanitize user input by escaping special characters in category names, implement a Content Security Policy to prevent inline script execution, and ensure proper output encoding before rendering category names in the user interface.