| 제목 | LogicalDOC LogicalDOC Community 9.2.1 Cross Site Scripting |
|---|
| 설명 | LogicalDOC version 9.2.1 is vulnerable to a stored Cross-Site Scripting (XSS) issue in the Contacts Form. Multiple input fields including First Name, Last Name, Company, Address, Phone, and Mobile fail to properly sanitize or encode user-supplied input.
A low-privileged attacker can inject malicious JavaScript into these fields, which is then stored in the database and executed when other users, including administrators, view the affected contact record (e.g., through the “Share Contact” feature).
Successful exploitation allows attackers to hijack sessions, escalate privileges, or perform arbitrary actions in the victim’s browser.
Impact:
1. Confidentiality: Steal sensitive data or session cookies
2. Integrity: Perform actions as another user
3. Availability: Deface or disrupt application functionality
Full advisory and proof-of-concept:
https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| 원천 | ⚠️ https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| 사용자 | Zeeshan Khan (UID 91384) |
|---|
| 제출 | 2025. 10. 08. PM 12:23 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 19. AM 05:03 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 329026 [LogicalDOC Community Edition 까지 9.2.1 Add Contact Page /frontend.jsp First Name/Last Name/Company/Address/Phone/Mobile 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|