SQL injection vulnerability in the "Users management" functionality in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows authenticated attackers to manipulate an SQL query within the application by sending additional SQL commands to the application server. An attacker can use this vulnerability to perform malicious tasks such as to extract, change, or delete sensitive information within the database supporting the application, and potentially run system commands on the underlying operating system.
References
Link | Resource |
---|---|
https://www.contextis.com/resources/advisories/cve-2018-12942 | Patch Third Party Advisory |
https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOG | Release Notes Patch Third Party Advisory |
Configurations
Information
Published : 2018-07-31 07:29
Updated : 2018-09-28 12:13
NVD link : CVE-2018-12942
Mitre link : CVE-2018-12942
JSON object : View
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Products Affected
seeddms
- seeddms