Title: LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
Advisory ID: ZSL-2018-5450
Impact: Exposure of System Information, Exposure of Sensitive Information
Release Date: 11.02.2018
LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.
The application suffers from multiple post-auth file disclosure vulnerability when input passed thru the 'suffix' and 'fileVersion' parameters is not properly verified before being used to include files. This can be exploited to read arbitrary files from local resources with directory traversal attacks.
LogicalDOC Srl - <https://www.logicaldoc.com>
Microsoft Windows 10
Linux Ubuntu 16.04
[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <firstname.lastname@example.org>
[11.02.2018] - Initial release
[21.02.2018] - Added reference , ,  and 
Zero Science Lab
REQUEST LIMIT REACHED