Subscribe
Overview
The Black Duck Cybersecurity Research Center (CyRC) discovered eight vulnerabilities in the LogicalDOC document management system (DMS). LogicalDOC DMS is designed to be a central management location for all documents within an organization. It is offered in community and enterprise editions, both of which contain these vulnerabilities.
These vulnerabilities open the software to risks including SQL injections, remote code execution (RCE) via arbitrary file write and automation scripting, and cross-site scripting (XSS). The CyRC team developed a proof-of-concept that links a selection of these vulnerabilities together to achieve pre-authentication RCE on systems running LogicalDOC software when certain prerequisites are met.
All vulnerabilities were confirmed in LogicalDOC Enterprise Edition version 8.9.3. Five of these vulnerabilities have been remediated in LogicalDOC Community Edition version 9.1, and two remain unpatched. One vulnerability affects only the Enterprise Edition of LogicalDOC.
Specific details of the vulnerabilities have been omitted to protect LogicalDOC customers.
CVE-2024-54445: Blind SQL Injection in Login
Summary
The login functionality contains a blind SQL injection vulnerability that can be exploited by unauthenticated attackers. The Login Throttling feature must be enabled for this vulnerability to be exploited.
Impact
Using a time-based blind SQLi technique, an attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence of entries in certain database tables.
CVSS Base Score: 8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-89 : Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
CAPEC-7 : Blind SQL Injection
Remediation
This vulnerability has been mitigated in LogicalDOC Community and Enterprise Editions version 9.1 by this commit.
Discovery Credit
Matthew Hogg from the CyRC discovered the vulnerability.
CVE-2024-54446: Blind SQL Injection in document history
Summary
The document history functionality contains a blind SQL injection vulnerability that can be exploited by authenticated attackers.
Impact
Using a time-based blind SQLi technique, an attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence of entries in certain database tables.
CVSS Base Score: 7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-89 : Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
CAPEC-7 : Blind SQL Injection
Remediation
This vulnerability has not been mitigated.
Discovery credit
Matthew Hogg from the CyRC discovered the vulnerability.
CVE-2024-54447: Blind SQL Injection in saved search
Summary
The saved search functionality contains a blind SQL injection vulnerability that can be exploited by authenticated attackers.
Impact
Using a time-based blind SQLi technique, an attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence of entries in certain database tables.
CVSS Base Score: 7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-89 : Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
CAPEC-7 : Blind SQL Injection
Remediation
This vulnerability has been mitigated in LogicalDOC Community and Enterprise Editions version 9.1 by this commit.
Discovery credit
Matthew Hogg from the CyRC discovered the vulnerability.
CVE-2024-54448: Remote Code Execution (RCE) via Automation Scripting
Summary
The automation scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. An account with administrator privileges or that has been explicitly granted access to use automation scripting is needed to carry out the attack.
Impact
Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.
CVSS Base Score: 8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-94: Improper Control of Generation of Code (“Code Injection”)
CAPEC-242: Code Injection
Remediation
This vulnerability has been mitigated in LogicalDOC Community and Enterprise Editions version 9.1 by this commit and this commit.
Discovery credit
Matthew Hogg from the CyRC discovered the vulnerability.
CVE-2024-54449: Remote Code Execution (RCE) via Arbitrary File Write in Document API
Summary
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with read and write privileges on at least one existing document in the application is required to exploit the vulnerability.
Impact
Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.
CVSS Base Score: 8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-23: Relative Path Traversal
CAPEC-139: Relative Path Traversal
Remediation
This vulnerability has been mitigated in LogicalDOC Community and Enterprise Editions version 9.1 by this commit.
Discovery credit
Matthew Hogg from the CyRC discovered the vulnerability.
CVE-2024-12019: Arbitrary File Read via Document API
Summary
The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with read and download privileges on at least one existing document in the application is required to exploit the vulnerability.
Impact
Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application.
CVSS Base Score: 7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-23: Relative Path Traversal
CAPEC-139: Relative Path Traversal
Remediation
This vulnerability has been mitigated in LogicalDOC Community and Enterprise Editions version 9.1 by this commit.
Discovery credit
Matthew Hogg from the CyRC discovered the vulnerability.
CVE-2024-12020: Reflected Cross-Site Scripting
Summary
There is a reflected cross-site scripting vulnerability within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability.
This vulnerability only affects LogicalDOC Enterprise.
Impact
Stealing the session cookie is not possible due to cookie security flags; however, the cross-site scripting vulnerability may be used to induce a victim to perform on-site requests without their knowledge.
CVSS Base Score: 6.4 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-591: Reflected XSS
Remediation
This vulnerability has not been mitigated.
Discovery credit
Scott Tolley from the CyRC discovered the vulnerability.
CVE-2024-12245: Blind SQL Injection in Logout
Summary
The logout functionality contains a blind SQL Injection vulnerability that can be exploited by unauthenticated attackers.
Impact
Using a time-based blind SQLi technique, an attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence of entries in certain database tables.
CVSS Base Score: 8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-89 : Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
CAPEC-7 : Blind SQL Injection
Remediation
This vulnerability has not been mitigated.
Discovery credit
Scott Tolley from the CyRC discovered the vulnerability.
Timeline
- September 4, 2024: Initial disclosure
- September 9, 2024: Vendor contact attempted
- September 18, 2024: Vendor notified
- September 26, 2024: Additional vulnerability disclosed to vendor
- February 5, 2025: Advisory published by Black Duck
References
About CVSS
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Continue Reading
Forrester recognizes Black Duck as a Leader in software composition analysis
Nov 13, 2024 / 3 min read
Key insights from Black Duck’s 2024 Global State of DevSecOps report
Oct 08, 2024 / 5 min read