CVE-2024-54449 HIGH

CVE-2024-54449: Remote Code Execution (RCE) via Arbitrary File Write In Document API

Vendor Logicaldoc

Product LogicalDOC Community

Weakness CWE-23

Published March 14, 2025

Last update March 18, 2025

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.

Key dates

02Disclosure timeline

March 14, 2025 CVE published

March 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-54449 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

Identifiers

CVE CVE-2024-54449

CWE CWE-23

CVSS 8.7 / HIGH

Affected versions

Vendor Logicaldoc

Product LogicalDOC Community

Affected < 9.1

Vendor Logicaldoc

Product LogicalDOC Enterprise

Affected < 9.1

CVE-2024-54449: Remote Code Execution (RCE) via Arbitrary File Write In Document API

01Description

02Disclosure timeline

03References

04Related CVE