Arbitrary File Write Vulnerability in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8

Arbitrary File Write Vulnerability in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8

CVE-2018-12939 · MEDIUM Severity

AV:N/AC:L/AU:S/C:N/I:P/A:P

A directory traversal flaw in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows an authenticated attacker to write to (or potentially delete) arbitrary files via a .. (dot dot) in the "op/op.UploadChunks.php" "qquuid" parameter. NOTE: this can be leveraged to execute arbitrary code by using CVE-2018-12940.

Learn more about our Web Application Penetration Testing UK.