CVE-2024-54449

Name of the Vulnerable Software and Affected Versions LogicalDOC (affected versions not specified)

Description The application's API, used for document interaction, contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled content to an arbitrary location on the underlying file system. This can be used to facilitate Remote Code Execution (RCE). Exploitation requires an account with ‘read’ and ‘write’ privileges on at least one existing document within the application. Successful exploitation would allow an attacker to execute commands on the underlying operating system of the web server running LogicalDOC. The vulnerable API endpoints allow for arbitrary file writing. The file content is controlled by the attacker.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.