Logicaldoc
Monthly
LogicalDOC Community Edition up to 9.2.1 fails to implement rate limiting on the admin login page (/login.jsp), allowing remote attackers to conduct brute-force authentication attacks with high complexity but difficult exploitability. Publicly available exploit code exists, though the vendor has not responded to early disclosure notification, and real-world exploitation risk remains low given the EPSS score of 0.16% and high attack complexity.
Stored cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated users to inject malicious scripts via the API Key creation UI, affecting the integrity of user data and potentially enabling credential theft or session hijacking. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists and the vendor has not responded to early disclosure notification.
Cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated attackers with user interaction to inject malicious scripts via contact form fields (First Name, Last Name, Company, Address, Phone, Mobile) on the /frontend.jsp Add Contact Page. Publicly available exploit code exists; EPSS score of 0.03% reflects low real-world exploitation probability despite public POC, likely due to authentication and user interaction requirements.
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
LogicalDOC Community Edition up to 9.2.1 fails to implement rate limiting on the admin login page (/login.jsp), allowing remote attackers to conduct brute-force authentication attacks with high complexity but difficult exploitability. Publicly available exploit code exists, though the vendor has not responded to early disclosure notification, and real-world exploitation risk remains low given the EPSS score of 0.16% and high attack complexity.
Stored cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated users to inject malicious scripts via the API Key creation UI, affecting the integrity of user data and potentially enabling credential theft or session hijacking. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists and the vendor has not responded to early disclosure notification.
Cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated attackers with user interaction to inject malicious scripts via contact form fields (First Name, Last Name, Company, Address, Phone, Mobile) on the /frontend.jsp Add Contact Page. Publicly available exploit code exists; EPSS score of 0.03% reflects low real-world exploitation probability despite public POC, likely due to authentication and user interaction requirements.
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.