Plattform
other
Komponente
logicaldoc-enterprise
Behoben in
7.7.5
7.7.4
7.7.3
7.7.2
7.6.5
7.6.3
7.5.2
7.4.3
7.1.2
CVE-2019-25258 describes a directory traversal vulnerability discovered in LogicalDOC Enterprise. This vulnerability allows authenticated attackers to read arbitrary files on the system by manipulating parameters within the /thumbnail and /convertpdf endpoints. The vulnerability impacts versions 7.1.1 through 7.7.4, and a fix is available in version 7.7.5.
Successful exploitation of CVE-2019-25258 allows an attacker to bypass access controls and read sensitive system files. By crafting malicious requests with manipulated suffix and fileVersion parameters, an attacker can leverage directory traversal sequences to access files outside of the intended scope. This could include critical configuration files like win.ini (on Windows systems) or /etc/passwd (on Linux systems), potentially revealing usernames, passwords, and other sensitive information. The potential for data exfiltration and system compromise is significant.
CVE-2019-25258 was published on December 24, 2025. There is currently no indication of active exploitation in the wild. No public proof-of-concept exploits have been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Organizations utilizing LogicalDOC Enterprise for document management, particularly those with older versions (7.1.1 – 7.7.4), are at risk. Shared hosting environments where multiple users have access to the LogicalDOC Enterprise instance are also particularly vulnerable, as a compromised user account could be leveraged to exploit this vulnerability.
• windows / other: Monitor event logs for unusual file access attempts, particularly targeting files outside of the LogicalDOC Enterprise application directory. Use Sysinternals Process Monitor to observe file system activity related to the LogicalDOC Enterprise process.
• linux / server: Examine auditd logs for attempts to access files outside the expected directories. Use lsof to identify processes accessing sensitive system files.
• generic web: Inspect access logs for requests to /thumbnail and /convertpdf endpoints with unusual or excessively long parameters. Look for patterns indicative of path traversal attempts.
disclosure
Exploit-Status
EPSS
1.88% (83% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2019-25258 is to upgrade LogicalDOC Enterprise to version 7.7.5 or later, which contains the necessary fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as restricting access to the /thumbnail and /convertpdf endpoints to trusted users only. Network segmentation can also limit the blast radius. Monitor access logs for unusual file access patterns, particularly attempts to access files outside of the expected directories. After upgrading, confirm the fix by attempting to access sensitive files using the vulnerable parameters; access should be denied.
Actualizar LogicalDOC Enterprise a una versión posterior a 7.7.4 que corrija las vulnerabilidades de recorrido de directorios. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-25258 is a vulnerability allowing authenticated attackers to read arbitrary files on a LogicalDOC Enterprise server by manipulating parameters in specific endpoints.
You are affected if you are running LogicalDOC Enterprise versions 7.1.1 through 7.7.4. Upgrade to 7.7.5 or later to resolve the issue.
Upgrade LogicalDOC Enterprise to version 7.7.5 or later. As a temporary workaround, restrict access to the vulnerable endpoints and monitor access logs.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit given post-authentication access.
Refer to the LogicalDOC security advisories page for the latest information and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.