CVE-2024-54449

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-54449
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:logicaldoc:logicaldoc:*:*:*:*:community:*:*:*
cpe:2.3:a:logicaldoc:logicaldoc:*:*:*:*:enterprise:*:*:*
History

07 Nov 2025, 02:22

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
References () https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html - () https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html - Third Party Advisory
CPE cpe:2.3:a:logicaldoc:logicaldoc:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:logicaldoc:logicaldoc:*:*:*:*:community:*:*:*
First Time Logicaldoc
Logicaldoc logicaldoc
Summary
  • (es) La API utilizada para interactuar con los documentos de la aplicación contiene dos endpoints con una vulnerabilidad que permite a un atacante autenticado escribir un archivo con contenido controlado en una ubicación arbitraria del sistema de archivos subyacente. Esto puede utilizarse para facilitar la ejecución remota de comandos (RCE). Se requiere una cuenta con privilegios de lectura y escritura en al menos un documento existente en la aplicación para explotar la vulnerabilidad. Esta vulnerabilidad permitiría a un atacante ejecutar comandos de su elección en el sistema operativo subyacente del servidor web que ejecuta LogicalDOC.

14 Mar 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-14 18:15

Updated : 2025-11-07 02:22

NVD link : CVE-2024-54449

Mitre link : CVE-2024-54449

CVE.ORG link : CVE-2024-54449

JSON object : View

Products Affected

logicaldoc

  • logicaldoc
CWE
CWE-23

Relative Path Traversal