CVE-2025-27410

{"id": "CVE-2025-27410", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2025-02-28T21:15:27.677", "references": [{"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue."}, {"lang": "es", "value": "PwnDoc es una aplicaci\u00f3n de informes de pruebas de penetraci\u00f3n. Antes de la versi\u00f3n 1.2.0, la funci\u00f3n de restauraci\u00f3n de copias de seguridad era vulnerable a la navegaci\u00f3n por rutas en el nombre de la entrada TAR, lo que permit\u00eda a un atacante sobrescribir cualquier archivo del sistema con su contenido. Al sobrescribir un archivo `.js` incluido y reiniciar el contenedor, se permite la ejecuci\u00f3n remota de c\u00f3digo como administrador. La ejecuci\u00f3n remota de c\u00f3digo se produce porque cualquier usuario con `backups:create` y `backups:update` (solo administradores de forma predeterminada) puede sobrescribir cualquier archivo del sistema. La versi\u00f3n 1.2.0 soluciona el problema."}], "lastModified": "2025-04-16T13:04:55.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11E7BA7B-6D6B-4186-80A8-06B69AA22B20", "versionEndExcluding": "1.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}