CVE-2019-12744
CVE-2019-12744
Vexday Risk Score
28Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Popular PoC on GitHub (1 stars) — exploitation code widely available.
CVSS —EPSS 11.7%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
20 Jun 2019Published on NVD
24 Jun 2019Public PoC
Weaponization speed
3 daysto first PoC
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Plan a near-term fix — a public PoC already exists.
SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.
Affected products
n/a · n/apublic PoCs found — 5
githubgithub.com/nobodyatall648/CVE-2019-12744★ 1cve_referencepacketstormsecurity.com/files/153383/SeedDMS-Remote-Command-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/163283/Seeddms-5.1.10-Remote-Command-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50062unverifiedexploitdbwww.exploit-db.com/exploits/47022unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/153383/SeedDMS-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163283/Seeddms-5.1.10-Remote-Command-Execution.htmlhttps://secfolks.blogspot.com/2019/06/exploit-for-cve-2019-12744-remote.htmlhttps://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG