Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-25461 PoC — SeedDMS 安全漏洞

Source
https://github.com/RoNiXxCybSeC0101/CVE-2025-25461
Associated Vulnerability
Title:SeedDMS 安全漏洞 (CVE-2025-25461)
Description:A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. A user or rogue admin with the "Add Category" permission can inject a malicious XSS payload into the category name field. When a document is subsequently associated with this category, the payload is stored on the server and rendered without proper sanitization or output encoding. This results in the XSS payload executing in the browser of any user who views the document.
Description
SeedDMS Stored Cross Site Scripting(XSS)
Readme
# 📌 CVE-2025-25461 - Stored Cross-Site Scripting (XSS) in SeedDMS 6.0.29

## 📝 Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in **SeedDMS 6.0.29**.  
A user or rogue admin with the **"Add Category"** permission can inject a malicious XSS payload into the category name field.  
When a document is subsequently associated with this category, the payload is stored on the server and rendered without proper sanitization or output encoding.  
This results in the XSS payload executing in the browser of any user who views the document.

## 🎯 Affected Product
- **Software:** SeedDMS
- **Version:** 6.0.29
- **Component:** Category Name Field

## ⚠️ Impact
- **Session Hijacking**
- **Data Exfiltration**
- **Phishing Attacks**
- **Remote Code Execution (via JavaScript)**

## 🔥 Proof of Concept (PoC)
### Steps to Reproduce:
1. Log in as a user with **"Add Category"** permissions.
2. Navigate to **Admin Panel > Categories**.
3. Create a new category with the following payload:
   ```html
   <script>alert(1)</script>
   ```
4. Save the category.
5. Associate a document with the malicious category.
6. When a user views the document, the payload executes in their browser.

### 📹 Video PoC:
🔗 [Watch Video PoC](https://drive.google.com/file/d/1QV9nyXnid1QigYAYzvCeRtUGSl35AbuG/view?usp=drive_link)

## 🛠️ Mitigation
- **Sanitize User Input**: Escape special characters in category names.
- **Use Content Security Policy (CSP)**: Prevent inline script execution.
- **Encode Output**: Ensure category names are properly encoded before rendering in the UI.

## 🔗 Reference
- 🔗 [SeedDMS Official Website](https://www.seeddms.org/)
- 🔗 [SeedDMS Discussion Thread](https://sourceforge.net/p/seeddms/discussion/general/thread/eb4ce9b1ff/)

✍️ Discoverer

## ✍️ Discoverer
- **Athul S**  
  - 🔗 [Linkedin](https://www.linkedin.com/in/athul-s-pentester/)
  - 🔗 [GitHub](https://github.com/RoNiXxCybSeC0101)

## 🏷️ CVE Assignment
- **CVE ID:** CVE-2025-25461
File Snapshot

 [4.0K]  /data/pocs/92f2213de83c7ebe50d3bbe8aecb6d9b4a33b651
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →