Description
LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences.
Problem types
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Product status
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Credits
LiquidWorm as Gjoko Krstic of Zero Science Lab
References
www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php
www.exploit-db.com/exploits/44019
www.exploit-db.com/exploits/44019 (ExploitDB-44019)
www.logicaldoc.com (LogicalDOC Official Product Homepage)
www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php (Zero Science Lab Disclosure (ZSL-2018-5450))
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
