{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27410", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-24T15:51:17.268Z", "datePublished": "2025-02-28T21:00:11.328Z", "dateUpdated": "2025-03-04T20:31:01.435Z"}, "containers": {"cna": {"title": "PwnDoc Arbitrary File Write to RCE using Path Traversal in backup restore as admin", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"}, {"name": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080"}, {"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527"}, {"name": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"}], "affected": [{"vendor": "pwndoc", "product": "pwndoc", "versions": [{"version": "< 1.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-28T21:00:11.328Z"}, "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue."}], "source": {"advisory": "GHSA-mxw8-vgvx-89hx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T20:30:57.288857Z", "id": "CVE-2025-27410", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T20:31:01.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27410", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-04T20:30:57.288857Z"}}}], "references": [{"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T20:30:51.942Z"}}], "cna": {"title": "PwnDoc Arbitrary File Write to RCE using Path Traversal in backup restore as admin", "source": {"advisory": "GHSA-mxw8-vgvx-89hx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pwndoc", "product": "pwndoc", "versions": [{"status": "affected", "version": "< 1.2.0"}]}], "references": [{"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080", "name": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527", "name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "name": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-28T21:00:11.328Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27410", "state": "PUBLISHED", "dateUpdated": "2025-03-04T20:31:01.435Z", "dateReserved": "2025-02-24T15:51:17.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-28T21:00:11.328Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*", "matchCriteriaId": "11E7BA7B-6D6B-4186-80A8-06B69AA22B20", "versionEndExcluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is vulnerable to path traversal in the TAR entry's name, allowing an attacker to overwrite any file on the system with their content. By overwriting an included `.js` file and restarting the container, this allows for Remote Code Execution as an administrator. The remote code execution occurs because any user with the `backups:create` and `backups:update` (only administrators by default) is able to overwrite any file on the system. Version 1.2.0 fixes the issue."}, {"lang": "es", "value": "PwnDoc es una aplicaci\u00f3n de informes de pruebas de penetraci\u00f3n. Antes de la versi\u00f3n 1.2.0, la funci\u00f3n de restauraci\u00f3n de copias de seguridad era vulnerable a la navegaci\u00f3n por rutas en el nombre de la entrada TAR, lo que permit\u00eda a un atacante sobrescribir cualquier archivo del sistema con su contenido. Al sobrescribir un archivo `.js` incluido y reiniciar el contenedor, se permite la ejecuci\u00f3n remota de c\u00f3digo como administrador. La ejecuci\u00f3n remota de c\u00f3digo se produce porque cualquier usuario con `backups:create` y `backups:update` (solo administradores de forma predeterminada) puede sobrescribir cualquier archivo del sistema. La versi\u00f3n 1.2.0 soluciona el problema."}], "id": "CVE-2025-27410", "lastModified": "2025-04-16T13:04:55.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-28T21:15:27.677", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L527"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pwndoc/pwndoc/commit/98f284291d73d3a0b11d3181d845845c192d1080"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-mxw8-vgvx-89hx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}