How to fix CVE-2024-54449?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Logicaldoc affected by CVE-2024-54449?

Organizations using API used to interact with documents in the application face significant risk from CVE-2024-54449 rated CVSS 8.7. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems.

CVE-2024-54449

HIGH

2025-03-14 [email protected]

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:31 vuln.today

CVE Published

Mar 14, 2025 - 18:15 nvd

HIGH 8.7

Description

The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.

Analysis

The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical Context

This vulnerability is classified under CWE-23. The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. This can be used to facilitate RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC. Affected products include: Logicaldoc.

Affected Products

Logicaldoc.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +44

POC: 0

CVE-2024-54449 vulnerability details – vuln.today

Back

CVE-2024-54449

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-54449

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code