{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27413", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-24T15:51:17.268Z", "datePublished": "2025-02-28T21:02:35.656Z", "dateUpdated": "2025-03-04T20:09:20.769Z"}, "containers": {"cna": {"title": "PwnDoc Arbitrary File Write to RCE using Path Traversal in template update from backup templates.json", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"}, {"name": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d"}, {"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175"}, {"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827"}, {"name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66"}, {"name": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"}], "affected": [{"vendor": "pwndoc", "product": "pwndoc", "versions": [{"version": "< 1.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-28T21:02:35.656Z"}, "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue."}], "source": {"advisory": "GHSA-r3vj-47cf-4672", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T20:09:16.589445Z", "id": "CVE-2025-27413", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T20:09:20.769Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27413", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-04T20:09:16.589445Z"}}}], "references": [{"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T20:09:09.898Z"}}], "cna": {"title": "PwnDoc Arbitrary File Write to RCE using Path Traversal in template update from backup templates.json", "source": {"advisory": "GHSA-r3vj-47cf-4672", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pwndoc", "product": "pwndoc", "versions": [{"status": "affected", "version": "< 1.2.0"}]}], "references": [{"url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "name": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d", "name": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175", "name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827", "name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66", "name": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "name": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-28T21:02:35.656Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27413", "state": "PUBLISHED", "dateUpdated": "2025-03-04T20:09:20.769Z", "dateReserved": "2025-02-24T15:51:17.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-28T21:02:35.656Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*", "matchCriteriaId": "11E7BA7B-6D6B-4186-80A8-06B69AA22B20", "versionEndExcluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal (`../`) sequences. This is problematic for the template update functionality as it uses the path from the database to write arbitrary content to, potentially overwriting source code to achieve Remote Code Execution. Any user with the `backups:create`, `backups:update` and `templates:update` permissions (only administrators by default) can write arbitrary content to anywhere on the filesystem. By overwriting source code, it is possible to achieve Remote Code Execution. Version 1.2.0 fixes the issue."}, {"lang": "es", "value": "PwnDoc es una aplicaci\u00f3n de informes de pruebas de penetraci\u00f3n. Antes de la versi\u00f3n 1.2.0, la funci\u00f3n de restauraci\u00f3n de copias de seguridad permite a un administrador importar datos sin procesar a la base de datos, incluidas las secuencias Path Traversal (`../`). Esto es problem\u00e1tico para la funci\u00f3n de actualizaci\u00f3n de plantillas, ya que utiliza la ruta de la base de datos para escribir contenido arbitrario, lo que podr\u00eda sobrescribir el c\u00f3digo fuente para lograr la ejecuci\u00f3n remota de c\u00f3digo. Cualquier usuario con los permisos `backups:create`, `backups:update` y `templates:update` (solo administradores de forma predeterminada) puede escribir contenido arbitrario en cualquier lugar del sistema de archivos. Al sobrescribir el c\u00f3digo fuente, es posible lograr la ejecuci\u00f3n remota de c\u00f3digo. La versi\u00f3n 1.2.0 soluciona el problema."}], "id": "CVE-2025-27413", "lastModified": "2025-04-15T20:27:24.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-28T21:15:27.820", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/models/template.js#L170-L175"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/backup.js#L826-L827"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/pwndoc/pwndoc/blob/14acb704891245bf1703ce6296d62112e85aa995/backend/src/routes/template.js#L63-L66"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pwndoc/pwndoc/commit/68aa1ea676a91e17bfb333a27571151bd07fb21d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pwndoc/pwndoc/releases/tag/v1.2.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-r3vj-47cf-4672"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}