CVE-2014-2279 - Vulnerability Details - OpenCVE

Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Seeddms	Seeddms

Configuration 1 [-]

cpe:2.3:a:seeddms:seeddms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html
http://osvdb.org/show/osvdb/104466
http://packetstormsecurity.com/files/125726
http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG
http://www.securityfocus.com/bid/66256
https://exchange.xforce.ibmcloud.com/vulnerabilities/91831

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-10-17T23:00:00

Updated: 2024-08-06T10:06:00.266Z

Reserved: 2014-03-04T00:00:00

Link: CVE-2014-2279

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-10-17T23:55:02.103

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-2279

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-03-14T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "104466", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/104466"}, {"name": "20140314 Multiple Vulnerabilities in SeedDMS < = 4.3.3", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG"}, {"name": "seeddms-cve20142279-dir-trav(91831)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91831"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/125726"}, {"name": "66256", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/66256"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-2279", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "104466", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/104466"}, {"name": "20140314 Multiple Vulnerabilities in SeedDMS < = 4.3.3", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html"}, {"name": "http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG", "refsource": "CONFIRM", "url": "http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG"}, {"name": "seeddms-cve20142279-dir-trav(91831)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91831"}, {"name": "http://packetstormsecurity.com/files/125726", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/125726"}, {"name": "66256", "refsource": "BID", "url": "http://www.securityfocus.com/bid/66256"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:06:00.266Z"}, "title": "CVE Program Container", "references": [{"name": "104466", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/104466"}, {"name": "20140314 Multiple Vulnerabilities in SeedDMS < = 4.3.3", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG"}, {"name": "seeddms-cve20142279-dir-trav(91831)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91831"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/125726"}, {"name": "66256", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/66256"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-2279", "datePublished": "2014-10-17T23:00:00", "dateReserved": "2014-03-04T00:00:00", "dateUpdated": "2024-08-06T10:06:00.266Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seeddms:seeddms:*:*:*:*:*:*:*:*", "matchCriteriaId": "E589AC3E-AC5E-424E-A07C-C45344B5D8DD", "versionEndIncluding": "4.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de salto de directorio en SeedDMS (anteriormente LetoDMS y MyDMS) anterior a 4.3.4 permiten (1) a usuarios remotos autenticados con acceso a la funcionalidad LogManagement leer archivos arbitrarios a trav\u00e9s de .. (punto punto) en el par\u00e1metro logname hacia out/out.LogManagement.php o (2) a atacantes remotos escribir archivos arbitrarios a trav\u00e9s de .. (punto punto) en el par\u00e1metro field hacia op/op.AddFile2.php. NOTA: el vector 2 puede aprovecharse de CVE-2014-2278 para ejecutar c\u00f3digo arbitrario."}], "id": "CVE-2014-2279", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-17T23:55:02.103", "references": [{"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/show/osvdb/104466"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/125726"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/66256"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91831"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/show/osvdb/104466"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/125726"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/66256"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91831"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}