CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12245 – Blind SQL Injection in Logout
https://notcve.org/view.php?id=CVE-2024-12245
14 Mar 2025 — Logout functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. Logout functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12020 – Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-12020
14 Mar 2025 — There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge. This vulnerability only affects LogicalDOC Enterprise. There is a reflected cross-site scripting (XSS) within JSP files used ... • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12019 – Arbitrary File Read via Document API
https://notcve.org/view.php?id=CVE-2024-12019
14 Mar 2025 — The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application. The API used to inter... • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-23: Relative Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-54449 – Remote Code Execution (RCE) via Arbitrary File Write In Document API
https://notcve.org/view.php?id=CVE-2024-54449
14 Mar 2025 — The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underl... • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-23: Relative Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-54448 – Remote Code Execution (RCE) via Automation Scripting
https://notcve.org/view.php?id=CVE-2024-54448
14 Mar 2025 — The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. An account with administrator privileges or that has been explicitly granted access to use Automation Scripting is needed to carry out the attack. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC. The Automation Scripting functionality can be exploited by at... • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-54447 – Blind SQLi in Saved Search
https://notcve.org/view.php?id=CVE-2024-54447
14 Mar 2025 — Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-54446 – Blind SQLi in Document History
https://notcve.org/view.php?id=CVE-2024-54446
14 Mar 2025 — Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database co... • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-54445 – Blind SQLi in Login
https://notcve.org/view.php?id=CVE-2024-54445
14 Mar 2025 — Login functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. Login functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. • https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •