| Title | LogicalDOC Community 9.2.1 Injection |
|---|
| Description | LogicalDOC version 9.2.1 is vulnerable to an iframe injection (stored HTML/JS) via the API Key creation UI. An attacker can submit an HTML payload in the API Key field which is persisted and executed when the key is displayed or rendered in the UI (for example when an administrator or other user views the API Key list or details), allowing arbitrary JavaScript to run in the context of any victim who views the page.
Steps to Reproduce
1. Log in to the account and navigate to `http://127.0.0.1:8080/frontend.jsp`
2. Go to Accounts → Security → API Key
3. Create a new API Key and enter the payload into the text field:
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
4. Click OK / save the API Key
5. Open the API Key renders the JavaScript (alert of document.cookie) is triggered, confirming iframe injection
Impact
* Steals session cookies and sensitive data.
* Executes malicious JavaScript in user context.
* Defaces or manipulates the application UI.
Recommendation
* Sanitize and encode all user inputs.
* Block HTML/script tags in API Key fields.
* Render user data as plain text only.
* Enforce a strict Content Security Policy.
* Audit and sanitize existing stored data.
Product Source:
Website: https://www.logicaldoc.com/
GitHub repository: https://github.com/logicaldoc/community
Credits
Zeeshan Khan
https://www.thezeeshankhan.site/ |
|---|
| Source | ⚠️ https://gist.github.com/thezeekhan/fa0dcfda4f1f915c625d3f89f8ec0529 |
|---|
| User | Zeeshan Khan (UID 91384) |
|---|
| Submission | 10/16/2025 18:53 (8 months ago) |
|---|
| Moderation | 10/31/2025 14:10 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 330806 [LogicalDOC Community Edition up to 9.2.1 API Key creation UI cross site scripting] |
|---|
| Points | 20 |
|---|