CVE-2025-45754 is a stored cross-site scripting (XSS) vulnerability identified in SeedDMS version 6.0.32. SeedDMS is an open-source document management system used to organize, store, and manage electronic documents. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input when creating document names. An attacker can exploit this flaw by creating a document with a malicious JavaScript payload embedded in its name. When other users or administrators view or interact with the document list or details, the malicious script executes in their browsers within the context of the SeedDMS web application. This stored XSS vulnerability enables attackers to perform actions such as session hijacking, credential theft, or unauthorized actions on behalf of the victim user. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L), with no impact on availability (A:N). The requirement for privileges means an attacker must have some level of authenticated access to create documents, and user interaction is needed for the payload to execute. The scope change indicates that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are reported in the wild yet, and no patches or vendor advisories are currently linked. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. This vulnerability highlights the importance of input validation and output encoding in web applications, especially those handling user-generated content such as document names.

For European organizations using SeedDMS 6.0.32, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to user sessions, data leakage, or manipulation of document management workflows. Since SeedDMS is often used in business and government environments to manage sensitive documents, successful exploitation could compromise confidentiality and integrity of stored information. The requirement for attacker authentication limits exposure to internal or trusted users, but insider threats or compromised accounts could leverage this vulnerability. The need for user interaction means phishing or social engineering could be used to trigger the payload. The scope change suggests that the impact could extend beyond the immediate document management interface, potentially affecting other integrated systems or user sessions. While availability is not impacted, the breach of confidentiality and integrity could have regulatory implications under GDPR for European entities, especially if personal or sensitive data is involved. The absence of known exploits reduces immediate risk but organizations should prioritize remediation to prevent future attacks.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict document creation permissions to trusted users only, minimizing the risk of malicious document names. 2) Apply strict input validation and output encoding on document names and any user-generated content within SeedDMS, ensuring that special characters and scripts are neutralized before rendering in the UI. 3) Monitor logs for unusual document creation activities or suspicious payload patterns. 4) Educate users about the risks of clicking on unexpected links or documents within the system to reduce successful social engineering. 5) If possible, upgrade to a patched version of SeedDMS once available or apply vendor-provided patches promptly. 6) Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce XSS impact. 7) Conduct regular security assessments and penetration tests focusing on web application vulnerabilities. 8) Implement multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability. These targeted actions go beyond generic advice by focusing on access control, input handling, user awareness, and layered defenses specific to the SeedDMS environment.