[CVE-ID]:CVE-2024-46409 --------------------------------------------------------------------- [Suggested description]A stored cross-site scripting (XSS) vulnerability in SeedDMS v6.0.28 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter in the Calendar page. --------------------------------------------------------------------- [Additional Information]:To reproduce it, follow this steps: 1) log into SeedMS 2) create a new event named <svg onload=alert()> 3) go to https://demo6.seeddms.org/out/out.LogManagement.php?logname=<date>.log --------------------------------------------------------------------- [Vulnerability Type]:Cross Site Scripting (XSS) --------------------------------------------------------------------- [Vendor of Product]:SeedDMS ------------------------------------------------------------------- [Affected Product Code Base]:SeedDMS - 6.0.28 ------------------------------------------------------------------- [Affected Component]:The affected param is the Event name param in the post request ------------------------------------------------------------------- [Attack Type]:Remote --------------------------------------------------------------------- [Impact Information Disclosure]:true -------------------------------------------------------------------- [CVE Impact Other]: Run Arbitrary Javascript code -------------------------------------------------------------------- [Attack Vectors]:A Crafted name for any event in the calendar -------------------------------------------------------------------- [Has vendor confirmed or acknowledged the vulnerability?]:true -------------------------------------------------------------------- [Discoverer]:Marco Nappi --------------------------------------------------------------------- [Reference]:http://seeddms.com