| Title | LogicalDOC LogicalDOC Community 9.2.1 Cross Site Scripting |
|---|
| Description | LogicalDOC version 9.2.1 is vulnerable to a stored Cross-Site Scripting (XSS) issue in the Contacts Form. Multiple input fields including First Name, Last Name, Company, Address, Phone, and Mobile fail to properly sanitize or encode user-supplied input.
A low-privileged attacker can inject malicious JavaScript into these fields, which is then stored in the database and executed when other users, including administrators, view the affected contact record (e.g., through the “Share Contact” feature).
Successful exploitation allows attackers to hijack sessions, escalate privileges, or perform arbitrary actions in the victim’s browser.
Impact:
1. Confidentiality: Steal sensitive data or session cookies
2. Integrity: Perform actions as another user
3. Availability: Deface or disrupt application functionality
Full advisory and proof-of-concept:
https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| Source | ⚠️ https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| User | Zeeshan Khan (UID 91384) |
|---|
| Submission | 10/08/2025 12:23 (8 months ago) |
|---|
| Moderation | 10/19/2025 05:03 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329026 [LogicalDOC Community Edition up to 9.2.1 Add Contact Page /frontend.jsp First Name/Last Name/Company/Address/Phone/Mobile cross site scripting] |
|---|
| Points | 20 |
|---|