SeedDMS 6.0.28 Cross Site Scripting

[CVE-ID]:CVE-2024-46409---------------------------------------------------------------------[Suggested description]A stored cross-site scripting (XSS) vulnerability in SeedDMS v6.0.28 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter in the Calendar page.---------------------------------------------------------------------[Additional Information]:To reproduce it, follow this steps:  1) log into SeedMS  2) create a new event named <svg onload=alert()>  3) go to https://demo6.seeddms.org/out/out.LogManagement.php?logname=<date>.log---------------------------------------------------------------------[Vulnerability Type]:Cross Site Scripting (XSS)---------------------------------------------------------------------[Vendor of Product]:SeedDMS-------------------------------------------------------------------[Affected Product Code Base]:SeedDMS - 6.0.28-------------------------------------------------------------------[Affected Component]:The affected param is the Event name param in the post request-------------------------------------------------------------------[Attack Type]:Remote---------------------------------------------------------------------[Impact Information Disclosure]:true--------------------------------------------------------------------[CVE Impact Other]: Run Arbitrary Javascript code--------------------------------------------------------------------[Attack Vectors]:A Crafted name for any event in the calendar--------------------------------------------------------------------[Has vendor confirmed or acknowledged the vulnerability?]:true--------------------------------------------------------------------[Discoverer]:Marco Nappi---------------------------------------------------------------------[Reference]:http://seeddms.com