Logicaldoc
CVE-2020-10366
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365.
AnalysisAI
LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365. Affected products include: Logicaldoc. Version information: before 8.3.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Logicaldoc
View allLogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents. Rated high severity (CVSS
LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect access control which could leave to privilege escalati
A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Rated
LogicalDOC Community Edition 8.x before 8.2.1 has a path traversal vulnerability that allows reading arbitrary files and
LogicalDoc before 8.3.3 allows SQL Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitab
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document. Rated medium s
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticat
The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying
LogicalDOC Community Edition up to 9.2.1 fails to implement rate limiting on the admin login page (/login.jsp), allowing
There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. Rated medium se
Stored cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated users to inject malic
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today