CVE-2024-54448— Remote Code Execution (RCE) via Automation Scripting
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-54448
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote Code Execution (RCE) via Automation Scripting
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. An account with administrator privileges or that has been explicitly granted access to use Automation Scripting is needed to carry out the attack. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
LogicalDOC 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LogicalDOC是美国LogicalDOC公司的一套使用Java技术开发的文件管理系统。该系统具有Lucene全文搜索索引和自动导入等功能。 LogicalDOC存在安全漏洞,该漏洞源于自动化脚本功能,可能导致攻击者在底层操作系统上执行任意命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| LogicalDOC | LogicalDOC Community | 0 ~ 9.1 | - | |
| LogicalDOC | LogicalDOC Enterprise | 0 ~ 9.1 | - |
II. Public POCs for CVE-2024-54448
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-54448
请登录查看更多情报信息。
- CyRC Advisory: Eight vulnerabilities in LogicalDOC | Black Duckthird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-54448
Same Patch Batch · LogicalDOC · 2025-03-14 · 8 CVEs total
| CVE-2024-54445 | Blind SQLi in Login | |
| CVE-2024-54446 | Blind SQLi in Document History | |
| CVE-2024-54447 | Blind SQLi in Saved Search | |
| CVE-2024-12245 | Blind SQL Injection in Logout | |
| CVE-2024-12019 | Arbitrary File Read via Document API | |
| CVE-2024-12020 | Reflected Cross-Site Scripting (XSS) | |
| CVE-2024-54449 | Remote Code Execution (RCE) via Arbitrary File Write In Document API |
IV. Related Vulnerabilities
Same vendor: LogicalDOC
- CVE-2025-12547
LogicalDOC Community Edition Admin Login login.jsp excessive - CVE-2025-12546
LogicalDOC Community Edition API Key creation UI cross site - CVE-2025-11946
LogicalDOC Community Edition Add Contact frontend.jsp cross - CVE-2024-12245
Blind SQL Injection in Logout - CVE-2024-12020
Reflected Cross-Site Scripting (XSS)
Same weakness: CWE-94
- CVE-2025-15463
Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticate - CVE-2021-47939
Evolution CMS 3.1.6 Authenticated Remote Code Execution via - CVE-2021-47938
ImpressCMS 1.4.2 Remote Code Execution via Autotasks - CVE-2021-47935
Sentry 8.2.0 Remote Code Execution via Pickle Deserializatio - CVE-2022-50944
Aero CMS 0.0.1 PHP Code Injection via posts.php
V. Comments for CVE-2024-54448
No comments yet