Share
## https://sploitus.com/exploit?id=PACKETSTORM:181974
[CVE-ID]:CVE-2024-46409  
---------------------------------------------------------------------  
[Suggested description]A stored cross-site scripting (XSS) vulnerability in SeedDMS v6.0.28 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter in the Calendar page.  
---------------------------------------------------------------------  
[Additional Information]:To reproduce it, follow this steps:  
1) log into SeedMS  
2) create a new event named <svg onload=alert()>  
3) go to https://demo6.seeddms.org/out/out.LogManagement.php?logname=<date>.log  
---------------------------------------------------------------------  
[Vulnerability Type]:Cross Site Scripting (XSS)  
---------------------------------------------------------------------  
[Vendor of Product]:SeedDMS  
-------------------------------------------------------------------  
[Affected Product Code Base]:SeedDMS - 6.0.28  
-------------------------------------------------------------------  
[Affected Component]:The affected param is the Event name param in the post request  
-------------------------------------------------------------------  
[Attack Type]:Remote  
---------------------------------------------------------------------  
[Impact Information Disclosure]:true  
--------------------------------------------------------------------  
[CVE Impact Other]: Run Arbitrary Javascript code  
--------------------------------------------------------------------  
[Attack Vectors]:A Crafted name for any event in the calendar  
--------------------------------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
--------------------------------------------------------------------  
[Discoverer]:Marco Nappi  
---------------------------------------------------------------------  
[Reference]:http://seeddms.com