CVE-2018-12940

Name of the Vulnerable Software and Affected Versions SeedDMS versions prior to 5.1.8

Description The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the qqfile parameter. This enables an authenticated attacker to upload a malicious file containing PHP code, which can then be used to execute operating system commands to the web root of the application.

Recommendations For versions prior to 5.1.8, update to version 5.1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "op/op.UploadChunks.php" file to minimize the risk of exploitation. Avoid using the qqfile parameter in the affected upload functionality until the issue is resolved.