Vulnerability Details CVE-2019-25258
LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 70.5%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2019-25258
-
cpe:2.3:a:logicaldoc:logicaldoc:7.1.1
-
cpe:2.3:a:logicaldoc:logicaldoc:7.4.2
-
cpe:2.3:a:logicaldoc:logicaldoc:7.5.1
-
cpe:2.3:a:logicaldoc:logicaldoc:7.6.2
-
cpe:2.3:a:logicaldoc:logicaldoc:7.6.4
-
cpe:2.3:a:logicaldoc:logicaldoc:7.7.1
-
cpe:2.3:a:logicaldoc:logicaldoc:7.7.2
-
cpe:2.3:a:logicaldoc:logicaldoc:7.7.3
-
cpe:2.3:a:logicaldoc:logicaldoc:7.7.4