CVE-2018-12943 : Security Advisory and Response

SeedDMS version 5.1.8 (previously LetoDMS and MyDMS) is vulnerable to Cross-Site Scripting (XSS) through the "action" URL parameter, allowing remote attackers to inject malicious scripts or HTML.

Understanding CVE-2018-12943

What is CVE-2018-12943?

SeedDMS (formerly LetoDMS and MyDMS) version 5.1.8 is susceptible to a Cross-Site Scripting (XSS) vulnerability that enables attackers to insert their web scripts or HTML code via the "action" parameter.

The Impact of CVE-2018-12943

Despite the presence of this XSS vulnerability, the application's functionality and behavior remain unaffected.

Technical Details of CVE-2018-12943

Vulnerability Description

The XSS vulnerability in SeedDMS version 5.1.8 allows remote attackers to inject arbitrary web scripts or HTML through the "action" URL parameter.

Affected Systems and Versions

Affected Version: 5.1.8

Exploitation Mechanism

Attackers can exploit this vulnerability by injecting their own web scripts or HTML code using the action parameter.

Mitigation and Prevention

Immediate Steps to Take

Upgrade SeedDMS to a non-vulnerable version.
Implement input validation to sanitize user inputs.
Monitor and filter user-generated content for malicious scripts.

Long-Term Security Practices

Regularly update and patch SeedDMS to the latest secure version.
Educate users on safe browsing practices and potential security risks.

Patching and Updates

Apply security patches and updates provided by SeedDMS to address the XSS vulnerability.