关联漏洞
标题:
N/A
(CVE-2025-25461)
描述:在SeedDMS 6.0.29中存在一个存储型跨站脚本(XSS)漏洞。具有“添加分类”权限的用户或恶意管理员可以将恶意的XSS载荷注入分类名称字段。当随后将文档与此分类关联时,载荷将存储在服务器上,并且在没有适当清理或输出编码的情况下进行呈现。这导致任何查看该文档的用户浏览器中执行XSS载荷。
描述
SeedDMS Stored Cross Site Scripting(XSS)
介绍
# 📌 CVE-2025-25461 - Stored Cross-Site Scripting (XSS) in SeedDMS 6.0.29
## 📝 Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in **SeedDMS 6.0.29**.
A user or rogue admin with the **"Add Category"** permission can inject a malicious XSS payload into the category name field.
When a document is subsequently associated with this category, the payload is stored on the server and rendered without proper sanitization or output encoding.
This results in the XSS payload executing in the browser of any user who views the document.
## 🎯 Affected Product
- **Software:** SeedDMS
- **Version:** 6.0.29
- **Component:** Category Name Field
## ⚠️ Impact
- **Session Hijacking**
- **Data Exfiltration**
- **Phishing Attacks**
- **Remote Code Execution (via JavaScript)**
## 🔥 Proof of Concept (PoC)
### Steps to Reproduce:
1. Log in as a user with **"Add Category"** permissions.
2. Navigate to **Admin Panel > Categories**.
3. Create a new category with the following payload:
```html
<script>alert(1)</script>
```
4. Save the category.
5. Associate a document with the malicious category.
6. When a user views the document, the payload executes in their browser.
### 📹 Video PoC:
🔗 [Watch Video PoC](https://drive.google.com/file/d/1QV9nyXnid1QigYAYzvCeRtUGSl35AbuG/view?usp=drive_link)
## 🛠️ Mitigation
- **Sanitize User Input**: Escape special characters in category names.
- **Use Content Security Policy (CSP)**: Prevent inline script execution.
- **Encode Output**: Ensure category names are properly encoded before rendering in the UI.
## 🔗 Reference
- 🔗 [SeedDMS Official Website](https://www.seeddms.org/)
- 🔗 [SeedDMS Discussion Thread](https://sourceforge.net/p/seeddms/discussion/general/thread/eb4ce9b1ff/)
✍️ Discoverer
## ✍️ Discoverer
- **Athul S**
- 🔗 [Linkedin](https://www.linkedin.com/in/athul-s-pentester/)
- 🔗 [GitHub](https://github.com/RoNiXxCybSeC0101)
## 🏷️ CVE Assignment
- **CVE ID:** CVE-2025-25461
文件快照
[4.0K] /data/pocs/92f2213de83c7ebe50d3bbe8aecb6d9b4a33b651
└── [2.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。