CVE-2019-25258

Name of the Vulnerable Software and Affected Versions LogicalDOC Enterprise version 7.7.4

Description The software contains multiple post-authentication file disclosure issues that allow attackers to read arbitrary files through unverified suffix and fileVersion parameters. Attackers can exploit directory traversal techniques in the /thumbnail and /convertpdf API endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences.

Recommendations Update to a newer version that contains a fix for this vulnerability.