Vulnerabilites related to pwndoc_project - pwndoc
Vulnerability from fkie_nvd
Published
2024-12-10 23:15
Modified
2025-04-18 17:35
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn't need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75E37346-1FF1-4E5E-81B2-3DDFF78894A4",
"versionEndExcluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn\u0027t need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available."
},
{
"lang": "es",
"value": "PwnDoc es un generador de informes de pruebas de penetraci\u00f3n. En versiones hasta la 0.5.3 inclusive, un usuario autenticado puede hacer que el backend se bloquee al generar un `UnhandledPromiseRejection` en las auditor\u00edas, lo que hace que salga del backend. El usuario no necesita saber el ID de auditor\u00eda, ya que un ID de auditor\u00eda incorrecto tambi\u00e9n generar\u00e1 el rechazo. Si el backend no responde, toda la aplicaci\u00f3n se vuelve inutilizable para todos los usuarios de la aplicaci\u00f3n. Al momento de la publicaci\u00f3n, no hay parches conocidos disponibles."
}
],
"id": "CVE-2024-55653",
"lastModified": "2025-04-18T17:35:00.030",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-10T23:15:06.410",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-05 20:15
Modified
2025-04-24 14:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pwndoc/pwndoc | Product | |
| cve@mitre.org | https://github.com/pwndoc/pwndoc/issues/401 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pwndoc/pwndoc | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pwndoc/pwndoc/issues/401 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | 0.5.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:0.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F29517B8-EBB0-43D7-869B-8DFCB9EB99BD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file."
}
],
"id": "CVE-2022-45771",
"lastModified": "2025-04-24T14:15:44.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-05T20:15:11.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/issues/401"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/issues/401"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-30 00:15
Modified
2025-05-07 14:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cve.nstsec.com/cve-2022-44022 | ||
| cve@mitre.org | https://github.com/pwndoc/pwndoc/issues/381 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cve.nstsec.com/cve-2022-44022 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pwndoc/pwndoc/issues/381 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "84379E02-9EB4-4FA1-8341-3CF6ECFC3903",
"versionEndIncluding": "0.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts."
},
{
"lang": "es",
"value": "PwnDoc hasta 0.5.3 podr\u00eda permitir a atacantes remotos identificar nombres de cuentas de usuario v\u00e1lidos aprovechando los tiempos de respuesta para los intentos de autenticaci\u00f3n."
}
],
"id": "CVE-2022-44022",
"lastModified": "2025-05-07T14:15:38.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-30T00:15:10.197",
"references": [
{
"source": "cve@mitre.org",
"url": "https://cve.nstsec.com/cve-2022-44022"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/issues/381"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cve.nstsec.com/cve-2022-44022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/issues/381"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-19 20:15
Modified
2024-11-21 06:05
Severity ?
Summary
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F55B8D68-06E1-4503-8C9E-1DF489E80975",
"versionEndExcluding": "0.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the \"user\" privilege. Even after a user\u0027s account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system."
},
{
"lang": "es",
"value": "PwnDoc todas las versiones hasta la 0.4.0 (2021-08-23) tiene un manejo incorrecto de JSON Webtoken, lo que lleva a un control de acceso incorrecto. Con un Webtoken JSON v\u00e1lido que se utiliza para la autenticaci\u00f3n y la autorizaci\u00f3n, un usuario puede mantener sus privilegios de administrador incluso si es degradado al privilegio de \"usuario\". Incluso despu\u00e9s de que se elimine la cuenta de un usuario, \u00e9ste puede seguir accediendo al panel de administraci\u00f3n (y a\u00f1adir o eliminar usuarios) y tiene acceso completo al sistema"
}
],
"id": "CVE-2021-31590",
"lastModified": "2024-11-21T06:05:57.697",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-19T20:15:08.660",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/pull/128"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/pull/74"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.dgc.org/responsible_disclosure_pwndoc_jwt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/pull/128"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/pull/74"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.dgc.org/responsible_disclosure_pwndoc_jwt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-28 21:15
Modified
2025-04-16 13:04
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary
PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11E7BA7B-6D6B-4186-80A8-06B69AA22B20",
"versionEndExcluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry\u0027s name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue."
},
{
"lang": "es",
"value": "PwnDoc es una aplicaci\u00f3n de informes de pruebas de penetraci\u00f3n. Antes de la versi\u00f3n 1.2.0, la funci\u00f3n de restauraci\u00f3n de copias de seguridad era vulnerable a la navegaci\u00f3n por rutas en el nombre de la entrada TAR, lo que permit\u00eda a un atacante sobrescribir cualquier archivo del sistema con su contenido. Al sobrescribir un archivo `.js` incluido y reiniciar el contenedor, se permite la ejecuci\u00f3n remota de c\u00f3digo como administrador. La ejecuci\u00f3n remota de c\u00f3digo se produce porque cualquier usuario con `backups:create` y `backups:update` (solo administradores de forma predeterminada) puede sobrescribir cualquier archivo del sistema. La versi\u00f3n 1.2.0 soluciona el problema."
}
],
"id": "CVE-2025-27410",
"lastModified": "2025-04-16T13:04:55.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-28T21:15:27.677",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-30 00:15
Modified
2024-11-21 07:27
Severity ?
Summary
PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cve.nstsec.com/cve-2022-44023 | ||
| cve@mitre.org | https://github.com/pwndoc/pwndoc/issues/382 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cve.nstsec.com/cve-2022-44023 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pwndoc/pwndoc/issues/382 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "84379E02-9EB4-4FA1-8341-3CF6ECFC3903",
"versionEndIncluding": "0.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts."
},
{
"lang": "es",
"value": "PwnDoc hasta 0.5.3 podr\u00eda permitir a atacantes remotos identificar nombres de cuentas de usuario deshabilitadas aprovechando los mensajes de respuesta para intentos de autenticaci\u00f3n.\n"
}
],
"id": "CVE-2022-44023",
"lastModified": "2024-11-21T07:27:33.160",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-30T00:15:10.253",
"references": [
{
"source": "cve@mitre.org",
"url": "https://cve.nstsec.com/cve-2022-44023"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/issues/382"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cve.nstsec.com/cve-2022-44023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/issues/382"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-10 17:15
Modified
2025-04-18 18:06
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Summary
PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF684B65-D693-4EE1-ABCE-86336036F55A",
"versionEndIncluding": "1.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue."
},
{
"lang": "es",
"value": "PwnDoc es un generador de informes de pruebas de penetraci\u00f3n. Antes del commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, un usuario autenticado que puede actualizar y descargar plantillas puede inyectar secuencias de path traversal (`../`) en la propiedad de extensi\u00f3n de archivo para leer archivos arbitrarios en el sistema. El commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contiene un parche para el problema."
}
],
"id": "CVE-2024-55602",
"lastModified": "2025-04-18T18:06:39.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-10T17:15:15.423",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L103"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L43-L47"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Product"
],
"url": "https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-20 16:15
Modified
2025-05-07 18:59
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75E37346-1FF1-4E5E-81B2-3DDFF78894A4",
"versionEndExcluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user\u0027s behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue."
},
{
"lang": "es",
"value": "PwnDoc es un generador de informes de pruebas de penetraci\u00f3n. No hay protecci\u00f3n CSRF en pwndoc, lo que permite a los atacantes enviar solicitudes en nombre de un usuario conectado. Esto incluye solicitudes GET y POST debido a la falta del atributo SameSite= en las cookies y la capacidad de actualizar las cookies. El commit 14acb704891245bf1703ce6296d62112e85aa995 soluciona el problema."
}
],
"id": "CVE-2025-23044",
"lastModified": "2025-05-07T18:59:21.327",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-20T16:15:28.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pwndoc/pwndoc/commit/14acb704891245bf1703ce6296d62112e85aa995"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-28 21:15
Modified
2025-04-15 20:27
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pwndoc_project | pwndoc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11E7BA7B-6D6B-4186-80A8-06B69AA22B20",
"versionEndExcluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue."
},
{
"lang": "es",
"value": "PwnDoc es una aplicaci\u00f3n de informes de pruebas de penetraci\u00f3n. Antes de la versi\u00f3n 1.2.0, la funci\u00f3n de restauraci\u00f3n de copias de seguridad permite a un administrador importar datos sin procesar a la base de datos, incluidas las secuencias Path Traversal (`../`). Esto es problem\u00e1tico para la funci\u00f3n de actualizaci\u00f3n de plantillas, ya que utiliza la ruta de la base de datos para escribir contenido arbitrario, lo que podr\u00eda sobrescribir el c\u00f3digo fuente para lograr la ejecuci\u00f3n remota de c\u00f3digo. Cualquier usuario con los permisos `backups:create`, `backups:update` y `templates:update` (solo administradores de forma predeterminada) puede escribir contenido arbitrario en cualquier lugar del sistema de archivos. Al sobrescribir el c\u00f3digo fuente, es posible lograr la ejecuci\u00f3n remota de c\u00f3digo. La versi\u00f3n 1.2.0 soluciona el problema."
}
],
"id": "CVE-2025-27413",
"lastModified": "2025-04-15T20:27:24.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-28T21:15:27.820",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2025-27410 (GCVE-0-2025-27410)
Vulnerability from cvelistv5
Published
2025-02-28 21:00
Modified
2025-03-04 20:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx | x_refsource_CONFIRM | |
| https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080 | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527 | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27410",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T20:30:57.288857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T20:31:01.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pwndoc",
"vendor": "pwndoc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry\u0027s name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T21:00:11.328Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"
},
{
"name": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527"
},
{
"name": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"
}
],
"source": {
"advisory": "GHSA-mxw8-vgvx-89hx",
"discovery": "UNKNOWN"
},
"title": "PwnDoc Arbitrary File Write to RCE using Path Traversal in backup restore as admin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27410",
"datePublished": "2025-02-28T21:00:11.328Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-04T20:31:01.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23044 (GCVE-0-2025-23044)
Vulnerability from cvelistv5
Published
2025-01-20 15:43
Modified
2025-02-12 20:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq | x_refsource_CONFIRM | |
| https://github.com/pwndoc/pwndoc/commit/14acb704891245bf1703ce6296d62112e85aa995 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23044",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T14:43:59.618950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:20.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pwndoc",
"vendor": "pwndoc",
"versions": [
{
"status": "affected",
"version": "\u003c 14acb704891245bf1703ce6296d62112e85aa995"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user\u0027s behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-20T15:43:23.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq"
},
{
"name": "https://github.com/pwndoc/pwndoc/commit/14acb704891245bf1703ce6296d62112e85aa995",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/commit/14acb704891245bf1703ce6296d62112e85aa995"
}
],
"source": {
"advisory": "GHSA-9v2v-jxvw-52rq",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) allows creating admin account with POST request"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23044",
"datePublished": "2025-01-20T15:43:23.882Z",
"dateReserved": "2025-01-10T15:11:08.883Z",
"dateUpdated": "2025-02-12T20:41:20.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55653 (GCVE-0-2024-55653)
Vulnerability from cvelistv5
Published
2024-12-10 22:56
Modified
2024-12-11 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn't need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55653",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T16:04:12.137179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T16:04:21.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pwndoc",
"vendor": "pwndoc",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn\u0027t need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T22:56:07.488Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc"
}
],
"source": {
"advisory": "GHSA-ggqg-3f7v-c8rc",
"discovery": "UNKNOWN"
},
"title": "pwndoc\u0027s UnhandledPromiseRejection on audits causes Denial of Service (DoS)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55653",
"datePublished": "2024-12-10T22:56:07.488Z",
"dateReserved": "2024-12-10T14:47:08.666Z",
"dateUpdated": "2024-12-11T16:04:21.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45771 (GCVE-0-2022-45771)
Vulnerability from cvelistv5
Published
2022-12-05 00:00
Modified
2025-04-24 13:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.049Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/issues/401"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45771",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T13:43:04.625579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:43:51.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pwndoc/pwndoc"
},
{
"url": "https://github.com/pwndoc/pwndoc/issues/401"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45771",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-11-21T00:00:00.000Z",
"dateUpdated": "2025-04-24T13:43:51.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27413 (GCVE-0-2025-27413)
Vulnerability from cvelistv5
Published
2025-02-28 21:02
Modified
2025-03-04 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27413",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T20:09:16.589445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T20:09:20.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pwndoc",
"vendor": "pwndoc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T21:02:35.656Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"
},
{
"name": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66"
},
{
"name": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"
}
],
"source": {
"advisory": "GHSA-r3vj-47cf-4672",
"discovery": "UNKNOWN"
},
"title": "PwnDoc Arbitrary File Write to RCE using Path Traversal in template update from backup templates.json"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27413",
"datePublished": "2025-02-28T21:02:35.656Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-04T20:09:20.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55602 (GCVE-0-2024-55602)
Vulnerability from cvelistv5
Published
2024-12-10 16:58
Modified
2024-12-10 17:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T17:21:53.592076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:22:00.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pwndoc",
"vendor": "pwndoc",
"versions": [
{
"status": "affected",
"version": "\u003c 1d4219c596f4f518798492e48386a20c6e9a2fe6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T16:58:12.982Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6"
},
{
"name": "https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6"
},
{
"name": "https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407",
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L103",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L103"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L43-L47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L43-L47"
}
],
"source": {
"advisory": "GHSA-2mqc-gg7h-76p6",
"discovery": "UNKNOWN"
},
"title": "PenDoc vulnerable to Arbitrary File Read on updating and downloading templates using Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55602",
"datePublished": "2024-12-10T16:58:12.982Z",
"dateReserved": "2024-12-09T14:22:52.524Z",
"dateUpdated": "2024-12-10T17:22:00.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44022 (GCVE-0-2022-44022)
Vulnerability from cvelistv5
Published
2022-10-29 00:00
Modified
2025-05-07 13:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:05.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/issues/381"
},
{
"tags": [
"x_transferred"
],
"url": "https://cve.nstsec.com/cve-2022-44022"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44022",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:53:08.731525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:53:41.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:42:03.078Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pwndoc/pwndoc/issues/381"
},
{
"url": "https://cve.nstsec.com/cve-2022-44022"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-44022",
"datePublished": "2022-10-29T00:00:00.000Z",
"dateReserved": "2022-10-29T00:00:00.000Z",
"dateUpdated": "2025-05-07T13:53:41.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44023 (GCVE-0-2022-44023)
Vulnerability from cvelistv5
Published
2022-10-29 00:00
Modified
2024-08-03 13:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44023",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T15:25:21.367337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:15:43.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:05.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/issues/382"
},
{
"tags": [
"x_transferred"
],
"url": "https://cve.nstsec.com/cve-2022-44023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:45:45.725216",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pwndoc/pwndoc/issues/382"
},
{
"url": "https://cve.nstsec.com/cve-2022-44023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-44023",
"datePublished": "2022-10-29T00:00:00",
"dateReserved": "2022-10-29T00:00:00",
"dateUpdated": "2024-08-03T13:47:05.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31590 (GCVE-0-2021-31590)
Vulnerability from cvelistv5
Published
2021-07-19 19:45
Modified
2024-08-03 23:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pwndoc/pwndoc/security/advisories | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/pull/128 | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/pull/74 | x_refsource_MISC | |
| https://www.dgc.org/responsible_disclosure_pwndoc_jwt | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23 | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d | x_refsource_MISC | |
| https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:03:33.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/pull/128"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/pull/74"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dgc.org/responsible_disclosure_pwndoc_jwt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the \"user\" privilege. Even after a user\u0027s account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-13T14:54:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/security/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/pull/128"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/pull/74"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dgc.org/responsible_disclosure_pwndoc_jwt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-31590",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the \"user\" privilege. Even after a user\u0027s account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pwndoc/pwndoc/security/advisories",
"refsource": "MISC",
"url": "https://github.com/pwndoc/pwndoc/security/advisories"
},
{
"name": "https://github.com/pwndoc/pwndoc/pull/128",
"refsource": "MISC",
"url": "https://github.com/pwndoc/pwndoc/pull/128"
},
{
"name": "https://github.com/pwndoc/pwndoc/pull/74",
"refsource": "MISC",
"url": "https://github.com/pwndoc/pwndoc/pull/74"
},
{
"name": "https://www.dgc.org/responsible_disclosure_pwndoc_jwt",
"refsource": "MISC",
"url": "https://www.dgc.org/responsible_disclosure_pwndoc_jwt"
},
{
"name": "https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23",
"refsource": "MISC",
"url": "https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23"
},
{
"name": "https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d",
"refsource": "MISC",
"url": "https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d"
},
{
"name": "https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab",
"refsource": "MISC",
"url": "https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-31590",
"datePublished": "2021-07-19T19:45:41",
"dateReserved": "2021-04-22T00:00:00",
"dateUpdated": "2024-08-03T23:03:33.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}