CVE-2024-12020

14.03.2025, 18:15

There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability.Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge.

This vulnerability only affects LogicalDOC Enterprise.

Cross-site Scripting

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
BlackDuck	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html