CVE-2024-55354: Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure...

5.1 CVSS

Description

Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be expected to be blocked and access resources that would be expected to be protected.

Classification

CVE ID: CVE-2024-55354

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-807 Reliance on Untrusted Inputs in a Security Decision

Affected Products

Vendor: Lucee

Product: Lucee Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.42% (scored less or equal to compared to others)

EPSS Date: 2025-04-21 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-55354
https://dev.lucee.org/t/lucee-cve-2024-55354-security-advisory-april-2025/14963

Timeline

2025-04-08 22:40:21 UTC
CVE

Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure...