[CVE-ID]:CVE-2024-46409
---------------------------------------------------------------------
[Suggested description]A stored cross-site scripting (XSS) vulnerability in SeedDMS v6.0.28 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter in the Calendar page.
---------------------------------------------------------------------
[Additional Information]:To reproduce it, follow this steps:
  1) log into SeedMS
  2) create a new event named <svg onload=alert()>
  3) go to https://demo6.seeddms.org/out/out.LogManagement.php?logname=<date>.log
---------------------------------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
---------------------------------------------------------------------
[Vendor of Product]:SeedDMS
-------------------------------------------------------------------
[Affected Product Code Base]:SeedDMS - 6.0.28
-------------------------------------------------------------------
[Affected Component]:The affected param is the Event name param in the post request
-------------------------------------------------------------------
[Attack Type]:Remote
---------------------------------------------------------------------
[Impact Information Disclosure]:true
--------------------------------------------------------------------
[CVE Impact Other]: Run Arbitrary Javascript code
--------------------------------------------------------------------
[Attack Vectors]:A Crafted name for any event in the calendar
--------------------------------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
--------------------------------------------------------------------
[Discoverer]:Marco Nappi
---------------------------------------------------------------------
[Reference]:http://seeddms.com