CVE-2024-12020
MEDIUMLogicalDOC Enterprise - Unauthenticated Reflected Cross-Site Scripting in JSP Files
Title source: llmDescription
There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge. This vulnerability only affects LogicalDOC Enterprise.
References (1)
Core 1
Core References
Third Party Advisory third-party-advisory
https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
15.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
logicaldoc/logicaldoc
8.9.3
Published
Mar 14, 2025
Tracked Since
Feb 18, 2026