CVE-2024-12019 HIGH

CVE-2024-12019: Arbitrary File Read via Document API

Vendor Logicaldoc

Product LogicalDOC Community

Weakness CWE-23

Published March 14, 2025

Last update March 18, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application.

Key dates

02Disclosure timeline

March 14, 2025 CVE published

March 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12019

Related vulnerabilities

Identifiers

CVE CVE-2024-12019

CWE CWE-23

CVSS 7.1 / HIGH

Affected versions

Vendor Logicaldoc

Product LogicalDOC Community

Affected < 9.1

Vendor Logicaldoc

Product LogicalDOC Enterprise

Affected < 9.1

CVE-2024-12019: Arbitrary File Read via Document API

01Description

02Disclosure timeline

03References

04Related CVE