LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges.
PUBLISHED5.2CWE-426
LogicalDOC Enterprise 7.7.4 Authenticated Command Execution via Binary Path Manipulation
Problem type
Affected products
LogicalDOC Srl
LogicalDOC Enterprise
7.7.4 - AFFECTED
7.7.3 - AFFECTED
7.7.2 - AFFECTED
7.7.1 - AFFECTED
7.6.4 - AFFECTED
7.6.2 - AFFECTED
7.5.1 - AFFECTED
7.4.2 - AFFECTED
7.1.1 - AFFECTED
References
ExploitDB-44021
https://www.exploit-db.com/exploits/44021
Official Product Homepage
https://www.logicaldoc.com
Zero Science Lab Disclosure (ZSL-2018-5452)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php
GitHub Security Advisories
GHSA-xx8r-jj29-vw5j
LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities...
https://github.com/advisories/GHSA-xx8r-jj29-vw5jLogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25257Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25257",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-12-24T20:21:30.648Z",
"dateReserved": "2025-12-24T14:27:12.479Z",
"datePublished": "2025-12-24T19:28:06.119Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-12-24T19:28:06.119Z"
},
"datePublic": "2018-01-26T00:00:00.000Z",
"title": "LogicalDOC Enterprise 7.7.4 Authenticated Command Execution via Binary Path Manipulation",
"descriptions": [
{
"lang": "en",
"value": "LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges."
}
],
"affected": [
{
"vendor": "LogicalDOC Srl",
"product": "LogicalDOC Enterprise",
"versions": [
{
"version": "7.7.4",
"status": "affected"
},
{
"version": "7.7.3",
"status": "affected"
},
{
"version": "7.7.2",
"status": "affected"
},
{
"version": "7.7.1",
"status": "affected"
},
{
"version": "7.6.4",
"status": "affected"
},
{
"version": "7.6.2",
"status": "affected"
},
{
"version": "7.5.1",
"status": "affected"
},
{
"version": "7.4.2",
"status": "affected"
},
{
"version": "7.1.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Untrusted Search Path",
"cweId": "CWE-426",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/44021",
"name": "ExploitDB-44021",
"tags": [
"exploit"
]
},
{
"url": "https://www.logicaldoc.com",
"name": "Official Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php",
"name": "Zero Science Lab Disclosure (ZSL-2018-5452)",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-24T20:21:30.648Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://www.exploit-db.com/exploits/44021",
"tags": [
"exploit"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}