LogicalDOC Community Edition API Key creation UI cross site scripting

A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

LogicalDOC

Community Edition

9.2.0 - AFFECTED

9.2.1 - AFFECTED

References

VDB-330806 | LogicalDOC Community Edition API Key creation UI cross site scripting

https://vuldb.com/?id.330806

vdb-entry

VDB-330806 | CTI Indicators (IOB, IOC, TTP)

https://vuldb.com/?ctiid.330806

signaturepermissions-required

Submit #677170 | LogicalDOC Community 9.2.1 Injection

https://vuldb.com/?submit.677170

third-party-advisory

gist.github.com

https://gist.github.com/thezeekhan/fa0dcfda4f1f915c625d3f89f8ec0529

exploit

JSON source

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-12546",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-10-31T18:59:31.730Z",
    "dateReserved": "2025-10-31T13:10:09.009Z",
    "datePublished": "2025-10-31T18:32:05.885Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-10-31T18:32:05.885Z"
      },
      "title": "LogicalDOC Community Edition API Key creation UI cross site scripting",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "In LogicalDOC Community Edition up to 9.2.1 wurde eine Schwachstelle gefunden. Dies betrifft einen unbekannten Teil der Komponente API Key creation UI. Dank der Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden."
        }
      ],
      "affected": [
        {
          "vendor": "LogicalDOC",
          "product": "Community Edition",
          "modules": [
            "API Key creation UI"
          ],
          "versions": [
            {
              "version": "9.2.0",
              "status": "affected"
            },
            {
              "version": "9.2.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross Site Scripting",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Code Injection",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.330806",
          "name": "VDB-330806 | LogicalDOC Community Edition API Key creation UI cross site scripting",
          "tags": [
            "vdb-entry"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.330806",
          "name": "VDB-330806 | CTI Indicators (IOB, IOC, TTP)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.677170",
          "name": "Submit #677170 | LogicalDOC Community 9.2.1 Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://gist.github.com/thezeekhan/fa0dcfda4f1f915c625d3f89f8ec0529",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 4
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-10-31T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-10-31T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-10-31T14:15:24.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Zeeshan Khan (VulDB User)",
          "type": "reporter"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-10-31T18:59:31.730Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2025-12546