LogicalDOC Community Edition Cross-Site Scripting Vulnerability in API Key Creation UI
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in LogicalDOC Community Edition versions prior to 9.2.1. The issue arises in the API Key creation user interface, where user input is not properly sanitized before being displayed. This flaw allows remote attackers to inject HTML payloads, including JavaScript, that are executed in the context of users who view the API Key details. The vulnerability was publicly disclosed and is actively exploitable.
Impact
Exploitation of this vulnerability allows for session cookie theft, execution of malicious JavaScript in the context of the user, and manipulation of the application interface. The injected script could be used to hijack user sessions or impersonate users, particularly those with administrative privileges.
Reproduction
To reproduce this vulnerability, log into LogicalDOC Community Edition version 9.2.1 and navigate to the API Key creation interface. Enter a payload containing an HTML iframe element with a JavaScript event handler into the API Key field. Once the key is saved, the injected script will execute when the API Key details are viewed, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.