| عنوان | LogicalDOC LogicalDOC Community 9.2.1 Cross Site Scripting |
|---|
| الوصف | LogicalDOC version 9.2.1 is vulnerable to a stored Cross-Site Scripting (XSS) issue in the Contacts Form. Multiple input fields including First Name, Last Name, Company, Address, Phone, and Mobile fail to properly sanitize or encode user-supplied input.
A low-privileged attacker can inject malicious JavaScript into these fields, which is then stored in the database and executed when other users, including administrators, view the affected contact record (e.g., through the “Share Contact” feature).
Successful exploitation allows attackers to hijack sessions, escalate privileges, or perform arbitrary actions in the victim’s browser.
Impact:
1. Confidentiality: Steal sensitive data or session cookies
2. Integrity: Perform actions as another user
3. Availability: Deface or disrupt application functionality
Full advisory and proof-of-concept:
https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| المصدر | ⚠️ https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| المستخدم | Zeeshan Khan (UID 91384) |
|---|
| ارسال | 08/10/2025 12:23 PM (8 أشهر منذ) |
|---|
| الاعتدال | 19/10/2025 05:03 AM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 329026 [LogicalDOC Community Edition حتى 9.2.1 Add Contact Page /frontend.jsp First Name/Last Name/Company/Address/Phone/Mobile البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|