CVE-2018-12939

Name of the Vulnerable Software and Affected Versions SeedDMS versions prior to 5.1.8

Description A directory traversal flaw allows an authenticated attacker to write to or potentially delete arbitrary files by using a .. (dot dot) in the "qquuid" parameter of the "op/op.UploadChunks.php" endpoint. This can be leveraged to execute arbitrary code.

Recommendations For versions prior to 5.1.8, update to version 5.1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "op/op.UploadChunks.php" endpoint or disabling the qquuid parameter to minimize the risk of exploitation.