CVE-2024-54449

Published Mar 14, 2025

Last updated 6 months ago

CVSS high 8.7
API

Overview

Description
The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.
Source
disclosure@synopsys.com
NVD status
Analyzed
Products
logicaldoc

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

disclosure@synopsys.com
CWE-23

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-54449 🔴 HIGH (8.7) 🏢 LogicalDOC - LogicalDOC Community 🏗️ 0 🔗 https://t.co/jPwDaB6yh2 #CyberCron #VulnAlert #InfoSec https://t.co/CXr2tHt7Ar

    @cybercronai

    16 Mar 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-54449 The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled co… https://t.co/djaxS60ARc

    @CVEnew

    14 Mar 2025

    142 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2024-54449: HIGH] Flaw in API endpoints of an application allows attackers to write files to system, leading to Remote Code Execution risk if exploited. Requires 'read' and 'write' access to a document.#cybersecurity,#vulnerability https://t.co/aXbantevfe https://t.co/lnIn6W

    @CveFindCom

    14 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  2. A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.CVE-2026-25197
  3. GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account.CVE-2026-4312
  4. Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.CVE-2026-4270
  5. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.CVE-2026-28789

References

Sources include official advisories and independent security research.