LogicalDOC version 9.2.1 is vulnerable to an iframe injection (stored HTML/JS) via the API Key creation UI. An attacker can submit an HTML payload in the API Key field which is persisted and executed when the key is displayed or rendered in the UI (for example when an administrator or other user views the API Key list or details), allowing arbitrary JavaScript to run in the context of any victim who views the page.
The API Key creation/storage functionality accepts and persists attacker-controlled HTML content in the API Key label/description field (or a similar metadata field). The stored content is later rendered into the management/listing pages without proper output encoding or sanitization. Because the field is rendered into the page as HTML, HTML elements such as <iframe> with event handlers (e.g., onmouseover) can execute JavaScript when a victim interacts with the rendered element in the browser.
This behavior enables a low-privileged user who can create API keys to inject HTML/JS that will execute in the context of higher-privileged users (administrators) or any user who views the API Key UI — enabling cookie theft, session hijacking, UI manipulation, or actions performed as the victim.
- Log in to the account and navigate to
http://127.0.0.1:8080/frontend.jsp - Go to Accounts → Security → API Key
- Create a new API Key and enter the payload into the text field
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>- Click OK / save the API Key
- Open the API Key renders the JavaScript (alert of
document.cookie) is triggered, confirming iframe injection
- Steals session cookies and sensitive data.
- Executes malicious JavaScript in user context.
- Defaces or manipulates the application UI.
- Sanitize and encode all user inputs.
- Block HTML/script tags in API Key fields.
- Render user data as plain text only.
- Enforce a strict Content Security Policy.
- Audit and sanitize existing stored data.
- LogicalDOC v9.2.1