Ready_ Wasn’t Ready – Four Critical Vulnerabilities in Symfonia eDokumenty
Intro
Symfonia eDokumenty, previously known as Ready_TM, is a Document Management System (DMS) used by many companies to manage electronic document workflows. Closely integrated with tools like Symfonia ERP, it plays a key role in processing sensitive business data across numerous Polish enterprises.
Together with Sławomir Zakrzewski, I analyzed version 7.19.39.7 of this application and discovered four critical vulnerabilities, now registered as:
- CVE-2025-1980 – Remote Code Execution via unrestricted file upload
- CVE-2025-1981 – SQL Injection
- CVE-2025-1982 – Local File Inclusion allowing unauthorized file access
- CVE-2025-1983 – Stored Cross-Site Scripting
These critical vulnerabilities highlight how essential consistent and thorough security testing is for applications that handle sensitive data. These findings serve as a reminder that without dedicated security testing, even well-established systems can expose businesses to serious risks, including service disruption and data breaches.
CVE-2025-1980 – Remote Code Execution via Unrestricted File Upload
This vulnerability affected the avatar upload functionality available in the user interface of Symfonia eDokumenty. While the feature was intended to accept image files (e.g., .jpg, .png), it failed to validate both the file type and its extension.
As a result, it was possible to upload arbitrary files — including PHP scripts — which were then stored in a publicly accessible directory on the server. Since the web server was configured to execute .php files, an attacker could upload a webshell and trigger it via a direct URL, gaining remote code execution (RCE) on the server.
Exploitation steps
- Log in to the application and navigate to your user settings (top right corner).
- Select a PHP webshell of your choice and temporarily change its extension to
.jpg. - Upload the webshell, but intercept the request using a proxy tool (e.g., Burp Suite) and modify the file extension in the request to
.php. - The server’s response will include the path where the file was saved (the filename will be changed).
- Visit the webshell URL. The server will execute the PHP code, allowing remote command execution.
Root Cause
- No validation of file extensions on the backend (e.g., only allowing
.jpg,.png) - No MIME type checking
- Uploaded files were stored in a web-accessible and executable directory
CVE-2025-1981 – SQL Injection
This vulnerability was found in the Purchase Invoices section of Ready_TM, specifically under:
Purchase Invoices → Invoices → All → Filters
The filtering functionality accepted user-supplied input to query invoice data, but failed to sanitize or parameterize SQL queries on the backend properly. This allowed injecting arbitrary SQL code directly into the application’s query logic.
By crafting a malicious filter input, an authenticated user could manipulate the underlying SQL query and gain access to sensitive information — including the ability to extract user password hashes — or potentially perform destructive actions such as modifying or deleting records
Exploitation steps
- Log in to the application and navigate to:
Purchase Invoices → Invoices → All → Filters - Choose one of the filter fields.
- Enter the following payload into the filter input:
1) AND 6363=(SELECT 6363 FROM PG_SLEEP(20)) AND (1=1 - Submit the filter and observe the server’s response time.
- If the server hangs or delays by approximately 20 seconds, it confirms the presence of a time-based blind SQL injection vulnerability.
- Further exploitation and data extraction can be automated using tools like sqlmap.
Root causes
- Lack of input sanitization and validation
- No use of parameterized (prepared) SQL statements
- Direct concatenation of user input into SQL queries
CVE-2025-1982 – Local File Inclusion
This vulnerability was identified in the Documents module of Symfonia eDokumenty. Users can attach external files using the “Add From Another Location” feature, which allows specifying a file URL to be added as a document attachment.
The feature accepted URLs without validating the scheme or destination, which made it possible to supply a file:// URI pointing to a file on the local filesystem of the server. As a result, an attacker could read arbitrary files from the application server — as long as the application process had read permissions to those paths.
Exploitation steps
- Log in to the application and go to the Documents section.
- Click New, then select File, and choose From location.
- Go to the Attachments tab and click Add from another location.
- In the Link to the file field, enter:
file:///etc/passwd - Submit the form. The content of the specified file is retrieved and attached to the document as if it came from an external source.
- Open the document preview or download the attachment to view the file content from the server.
Root causes
- No validation of the URI scheme (
file://should not be allowed) - No filtering of local file access
- Application performed server-side requests (SSR) without restriction (similar to SSRF)
CVE-2025-1983 – Stored Cross-Site Scripting (XSS)
This vulnerability was found in Symfonia eDokumenty’s File Explorer module. The issue arose from the application’s failure to properly sanitize file names when rendering them in the user interface.
An attacker could exploit this by uploading a file with a specially crafted name containing malicious JavaScript code. When another user interacted with the infected file — for example, by opening a context menu or viewing details — the script would be executed in their browser context.
Since the payload was stored on the server and persistently rendered for all users accessing the affected view, this constituted a Stored Cross-Site Scripting vulnerability.
Exploitation steps
- Log in to the application and navigate to the File Explorer module
- Upload a file with a malicious name, such as:
a<img src=x onerror=prompt(document.cookie)>.jpg - The file uploads successfully and appears in the file list without sanitization
- When a user interacts with the file (e.g., opens its location), the JavaScript executes in their browser
- The code runs with the permissions of the current session — potentially allowing session hijacking, privilege escalation, or other browser-based attacks
Root causes
- Lack of HTML escaping or sanitization of user-supplied input (filename)
- File names rendered directly into the DOM without validation
- No content security policy (CSP) to mitigate inline script execution
Impact
This vulnerability allowed authenticated users to perform Stored XSS attacks that persist across sessions and affect other users of the system. Depending on context, attackers could hijack user sessions, manipulate UI content, or perform actions on behalf of victims — especially dangerous in multi-user environments such as intranets or shared document platforms.
Summary
The vulnerabilities described in this post — ranging from Remote Code Execution to Stored XSS — show how multiple layers of risk can exist within a single business-critical application. None of the issues required deep exploitation techniques; instead, they highlight common pitfalls that can arise without consistent and thorough security testing.
Symfonia eDokumenty plays a vital role in document and data handling for many organizations. Ensuring that such systems are developed and maintained with security in mind is not just a technical requirement — it’s a business necessity.
This case reinforces the importance of regular application audits, secure development practices, and clear vulnerability reporting channels. We hope this analysis encourages other developers and vendors to take a proactive approach to security — before vulnerabilities become incidents.
Credits
This research was conducted together with Sławomir Zakrzewski, whose contribution and technical insight were key in identifying and analyzing the vulnerabilities described in this post.
I would also like to thank CERT Polska for their support in responsibly reporting these issues to the vendor and for coordinating the disclosure process.
Special thanks go to the Symfonia team for their cooperation and swift response. The reported vulnerabilities were addressed without delay, reflecting a responsible and proactive approach to product security.