CVE-2014-2278

SeedDMS < 4.3.3 - Unauthenticated Remote Code Execution via File Upload

Title source: llm
STIX 2.1

Description

Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the partitionIndex parameter and leveraging CVE-2014-2279.2 to access it via the directory specified by the fileId parameter.

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/104465
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57475
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/125726

Scores

EPSS 0.0387
EPSS Percentile 89.0%

Details

CWE
CWE-20
Status published
Products (1)
seeddms/seeddms < 4.3.3
Published Oct 17, 2014
Tracked Since Feb 18, 2026