– SeedDMS 5.1.23 and later patch both issues. Official fix: https://sourceforge.net/p/seeddms/code/HEAD/tree/branches/stable5.1.x/
The "happy ending" for administrators is found in staying ahead of the version curve. Developers recommend:
The core application allows authenticated users (and in some misconfigured instances, guest users) to upload document revisions. The system fails to sanitize file extensions or validate the underlying MIME type against a strict allowlist.
When an authenticated admin visits the page, the document is locked without their consent.
SeedDMS versions before 5.1.8 contain SQL injection vulnerabilities, particularly in the "Users management" functionality. These vulnerabilities allow authenticated attackers to manipulate SQL queries, potentially extracting, modifying, or deleting sensitive information within the database. More critically, attackers could potentially execute system commands on the underlying operating system, leading to full system compromise.
SeedDMS is an open-source document management system. Like any software, it's not immune to potential security vulnerabilities.