LogicalDOC Community Edition Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in LogicalDOC Community Edition versions through 9.2.1. The issue resides in the Add Contact Page, specifically within the file /frontend.jsp. Multiple contact fields, including First Name, Last Name, Company, Address, Phone, and Mobile (excluding Email), are susceptible to this vulnerability. The flaw allows for the injection of malicious HTML/JavaScript, which is then executed when the contact is viewed by other users, including administrators. This exploitation could lead to session hijacking, privilege escalation, or unauthorized actions performed in the context of the affected user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users viewing the affected contact, including admins.

Reproduction

To reproduce this vulnerability, log in as a normal user and navigate to the Add Contact page. Inject a script payload into any of the vulnerable fields (First Name, Last Name, Company, Address, Phone, Mobile) and save the contact. Then, share the contact with an admin user, who will trigger the stored XSS by opening the contact record.