CVE-2025-27413

PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175	Product
https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827	Product
https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66	Product
https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d	Patch
https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0	Release Notes
https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672	Exploit Vendor Advisory
https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-02-28 21:15

Updated : 2025-04-15 20:27

NVD link : CVE-2025-27413

Mitre link : CVE-2025-27413

CVE.ORG link : CVE-2025-27413

JSON object : View

Products Affected

pwndoc_project

pwndoc

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-27413", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2025-02-28T21:15:27.820", "references": [{"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue."}, {"lang": "es", "value": "PwnDoc es una aplicaci\u00f3n de informes de pruebas de penetraci\u00f3n. Antes de la versi\u00f3n 1.2.0, la funci\u00f3n de restauraci\u00f3n de copias de seguridad permite a un administrador importar datos sin procesar a la base de datos, incluidas las secuencias Path Traversal (`../`). Esto es problem\u00e1tico para la funci\u00f3n de actualizaci\u00f3n de plantillas, ya que utiliza la ruta de la base de datos para escribir contenido arbitrario, lo que podr\u00eda sobrescribir el c\u00f3digo fuente para lograr la ejecuci\u00f3n remota de c\u00f3digo. Cualquier usuario con los permisos `backups:create`, `backups:update` y `templates:update` (solo administradores de forma predeterminada) puede escribir contenido arbitrario en cualquier lugar del sistema de archivos. Al sobrescribir el c\u00f3digo fuente, es posible lograr la ejecuci\u00f3n remota de c\u00f3digo. La versi\u00f3n 1.2.0 soluciona el problema."}], "lastModified": "2025-04-15T20:27:24.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11E7BA7B-6D6B-4186-80A8-06B69AA22B20", "versionEndExcluding": "1.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}