CVE-2025-25461
Last modified
CVE-2025-25461 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. A user or rogue admin with the "Add Category" permission can inject a malicious XSS payload into the category name field. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. A user or rogue admin with the "Add Category" permission can inject a malicious XSS payload into the category name field. When a document is subsequently associated with this category, the payload is stored on the server and rendered without proper sanitization or output encoding. This results in the XSS payload executing in the browser of any user who views the document.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Seeddms | Seeddms | 6.0.29 |
References
- https://github.com/RoNiXxCybSeC0101/CVE-2025-25461Exploit, Third Party Advisory
- https://www.seeddms.org/Product
- https://github.com/RoNiXxCybSeC0101/CVE-2025-25461Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-25461?
How severe is CVE-2025-25461?
How do I fix CVE-2025-25461?
Are you affected by CVE-2025-25461?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST