cbcvebase.
CVE-2019-12744
published 2019-06-20

CVE-2019-12744: SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.

PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
11.70%
95.5th percentile
SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.

Affected

1 ranges
VendorProductVersion rangeFixed in
seeddmsseeddms< 5.1.115.1.11

Detection & IOCsextracted from sources · hover to see the quote

path/op/op.Login.php
path/out/out.AddDocument.php?folderid=1&showtree=1
path/op/op.AddDocument.php
path/data/1048576/<docID>/1.php
path/data/1048576/
cookiemydms_session
filenamephpCmdInjection.php
filename1.php
otherapplication/x-httpd-php
commandcmd=cat+/etc/passwd
  • Alert on HTTP GET or POST requests to the path pattern /data/1048576/<numeric_id>/1.php, which is the fixed storage path where SeedDMS saves uploaded document versions and where the webshell is accessed
  • Detect upload of files with .php extension to /op/op.AddDocument.php; legitimate document uploads should not include PHP scripts
  • Monitor for the presence of the session cookie 'mydms_session' combined with POST requests to document upload endpoints as an indicator of authenticated exploitation attempts
  • Detect PHP webshell content pattern using $_REQUEST['cmd'] with system() call written to files under /data/1048576/
  • ·The document storage path /data/1048576/ is described as a default; installations may use a different base data directory, so detection rules should account for configurable paths
  • ·Exploitation requires valid authenticated credentials; unauthenticated access to upload endpoints will fail, so brute-force or credential-stuffing against /op/op.Login.php may precede the RCE
  • ·The uploaded PHP webshell filename is randomly generated (20 lowercase characters) with a .php extension, making static filename-based detection insufficient; path pattern /data/1048576/<docID>/1.php is more reliable as the version file is always named 1.php

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.