CVE-2014-2278
SeedDMS < 4.3.3 - Unauthenticated Remote Code Execution via File Upload
Title source: llmDescription
Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the partitionIndex parameter and leveraging CVE-2014-2279.2 to access it via the directory specified by the fileId parameter.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/show/osvdb/104465
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html
Vendor Advisory x_refsource_confirm
http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/57475
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/125726
Scores
EPSS
0.0387
EPSS Percentile
89.0%
Details
CWE
CWE-20
Status
published
Products (1)
seeddms/seeddms
< 4.3.3
Published
Oct 17, 2014
Tracked Since
Feb 18, 2026