| tiêu đề | LogicalDOC LogicalDOC Community 9.2.1 Cross Site Scripting |
|---|
| Mô tả | LogicalDOC version 9.2.1 is vulnerable to a stored Cross-Site Scripting (XSS) issue in the Contacts Form. Multiple input fields including First Name, Last Name, Company, Address, Phone, and Mobile fail to properly sanitize or encode user-supplied input.
A low-privileged attacker can inject malicious JavaScript into these fields, which is then stored in the database and executed when other users, including administrators, view the affected contact record (e.g., through the “Share Contact” feature).
Successful exploitation allows attackers to hijack sessions, escalate privileges, or perform arbitrary actions in the victim’s browser.
Impact:
1. Confidentiality: Steal sensitive data or session cookies
2. Integrity: Perform actions as another user
3. Availability: Deface or disrupt application functionality
Full advisory and proof-of-concept:
https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| Nguồn | ⚠️ https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90 |
|---|
| Người dùng | Zeeshan Khan (UID 91384) |
|---|
| Đệ trình | 08/10/2025 12:23 (cách đây 8 các tháng) |
|---|
| Kiểm duyệt | 19/10/2025 05:03 (11 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 329026 [LogicalDOC Community Edition đến 9.2.1 Add Contact Page /frontend.jsp First Name/Last Name/Company/Address/Phone/Mobile Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|