CVE-2025-12546
BaseFortify
Publication date: 2025-10-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| logicaldoc | logicaldoc | to 9.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12546 is a stored cross-site scripting (XSS) vulnerability in LogicalDOC Community Edition up to version 9.2.1. It occurs in the API Key creation user interface, where attacker-controlled HTML content can be injected into API Key label or description fields without proper sanitization or encoding. This malicious content, such as iframe elements with JavaScript event handlers, is stored and later executed in the context of any user viewing the API Key UI, including administrators. An attacker with low privileges can inject scripts that execute when higher-privileged users interact with the API Key display, potentially leading to session cookie theft, session hijacking, UI manipulation, or unauthorized actions performed as the victim user. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to theft of session cookies and sensitive data, execution of malicious scripts in the context of users who view the API Key UI, including administrators, and manipulation or defacement of the application's user interface. Attackers can hijack user sessions or perform unauthorized actions by exploiting the stored XSS flaw. Since the malicious payload is stored and executed when the API Key is viewed, it can affect multiple users and compromise the integrity and security of the application environment. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create an API Key with a malicious payload in the API Key creation UI, such as injecting an iframe with JavaScript (e.g., <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>). After creation, viewing the API Key list or details page should trigger the JavaScript if the vulnerability is present. Detection involves logging into LogicalDOC, navigating to Accounts β Security β API Key, and testing with such payloads. There are no specific network commands provided, but manual testing of the API Key creation interface with XSS payloads is recommended. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: properly sanitizing and encoding all user inputs in the API Key fields; blocking HTML and script tags in API Key metadata fields; rendering user-submitted data as plain text only; enforcing a strict Content Security Policy (CSP); and auditing and sanitizing existing stored API Key data to remove any malicious content. Since the vendor has not responded or provided patches, consider restricting API Key creation privileges to trusted users only and monitoring for suspicious activity. [1, 3, 2]