CVE-2025-12546 identifies a cross-site scripting vulnerability in LogicalDOC Community Edition, specifically affecting versions 9.2.0 and 9.2.1. The vulnerability resides in the API Key creation UI component, where insufficient input sanitization allows attackers to inject malicious JavaScript code. This flaw enables remote attackers to execute scripts in the context of the victim’s browser, potentially leading to session hijacking, defacement, or unauthorized actions within the application. The attack vector requires no authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of exploitation (low complexity), lack of required privileges, but limited impact on confidentiality and integrity. The vendor was notified early but has not issued patches or responses, leaving users exposed. Although no active exploits have been reported, the public disclosure increases the likelihood of exploitation attempts. LogicalDOC Community Edition is an open-source document management system used by various organizations for managing digital documents, making this vulnerability relevant for environments relying on this software for secure document workflows.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized access to user sessions, enabling attackers to perform actions on behalf of legitimate users or steal sensitive information accessible through the LogicalDOC interface. This could compromise document confidentiality and integrity, especially if API keys or administrative functions are targeted. While the vulnerability does not directly impact system availability, successful exploitation could facilitate further attacks or lateral movement within networks. Organizations handling sensitive or regulated documents (e.g., legal, financial, healthcare sectors) face increased risks of data breaches or compliance violations. The lack of vendor response and patches prolongs exposure, increasing the window for attackers to develop and deploy exploits. Given LogicalDOC’s use in collaborative and document-intensive environments, the impact could extend to multiple users and departments within affected organizations.

European organizations should immediately review their use of LogicalDOC Community Edition versions 9.2.0 and 9.2.1 and consider the following specific mitigations: 1) Restrict access to the API Key creation UI to trusted administrators only, using network segmentation and access control lists to limit exposure. 2) Implement web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting LogicalDOC interfaces. 3) Educate users about the risks of clicking untrusted links or interacting with suspicious content related to LogicalDOC. 4) Monitor application logs for unusual activity around API key creation or user sessions to detect potential exploitation attempts. 5) If feasible, migrate to a newer or alternative document management solution that is actively maintained and patched. 6) Employ Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 7) Regularly backup LogicalDOC data and configurations to enable recovery in case of compromise. 8) Engage with the LogicalDOC community or security forums to track any unofficial patches or mitigations until an official fix is released.