CVE-2025-45754 in SeedDMS
Summary
by MITRE • 05/21/2025
A stored cross-site scripting (XSS) vulnerability exists in SeedDMS 6.0.32. This vulnerability allows an attacker to inject malicious JavaScript payloads by creating a document with an XSS payload as the document name.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/25/2025
The stored cross-site scripting vulnerability identified as CVE-2025-45754 affects SeedDMS version 6.0.32, representing a critical security flaw that undermines the application's input validation mechanisms. This vulnerability stems from insufficient sanitization of user-supplied data when processing document names within the document management system. The flaw allows attackers to persist malicious JavaScript code within the application's database through legitimate document creation processes, making it particularly dangerous as the payload remains active until explicitly removed by administrators.
The technical implementation of this vulnerability resides in the application's failure to properly escape or filter special characters in document names before storing and subsequently rendering them in web pages. When a user creates a document with a malicious payload in the document name field, the system stores this data without adequate sanitization measures. During subsequent page rendering, the unfiltered content gets executed in the context of other users' browsers who view the affected document listings, enabling attackers to hijack user sessions, steal sensitive information, or perform unauthorized actions on behalf of victims. This stored XSS variant operates through the standard document creation workflow, requiring minimal privileges to exploit and demonstrating the system's inadequate defense-in-depth principles.
The operational impact of CVE-2025-45754 extends beyond simple data theft, as it can enable attackers to establish persistent footholds within environments where SeedDMS is deployed. Attackers can craft malicious document names containing JavaScript payloads that exploit browser vulnerabilities or leverage social engineering techniques to entice users into interacting with compromised documents. The vulnerability affects all users who have access to the document management system, potentially compromising entire organizational data repositories. This flaw particularly threatens environments where sensitive documents are stored, as attackers could manipulate document listings to redirect users to malicious sites or inject phishing content that appears legitimate within the application interface.
Organizations utilizing SeedDMS 6.0.32 should immediately implement mitigations including comprehensive input validation and output encoding for all user-supplied content, particularly document names and metadata fields. The recommended approach involves implementing strict sanitization routines that remove or escape potentially dangerous characters before storing user data, combined with proper HTML escaping when rendering content in web interfaces. Additionally, organizations should consider implementing content security policies to limit the execution of inline scripts and establish regular security audits of input validation mechanisms. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a typical attack pattern categorized under ATT&CK technique T1566.001 for initial access through spearphishing attachments, as attackers may use compromised documents to deliver malicious payloads to unsuspecting users within the organization's document management ecosystem.