CVE-2024-55602

PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*

History

18 Apr 2025, 18:06

Type Values Removed Values Added
Summary
  • (es) PwnDoc es un generador de informes de pruebas de penetración. Antes del commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, un usuario autenticado que puede actualizar y descargar plantillas puede inyectar secuencias de path traversal (`../`) en la propiedad de extensión de archivo para leer archivos arbitrarios en el sistema. El commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contiene un parche para el problema.
First Time Pwndoc Project pwndoc
Pwndoc Project
References () https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407 - () https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407 - Product
References () https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L103 - () https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L103 - Product
References () https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L43-L47 - () https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L43-L47 - Product
References () https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6 - () https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6 - Patch
References () https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6 - () https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6 - Exploit, Vendor Advisory
CPE cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*

10 Dec 2024, 18:15

Type Values Removed Values Added
References () https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407 - () https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407 -
References () https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6 - () https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6 -

10 Dec 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-12-10 17:15

Updated : 2025-04-18 18:06


NVD link : CVE-2024-55602

Mitre link : CVE-2024-55602

CVE.ORG link : CVE-2024-55602


JSON object : View

Products Affected

pwndoc_project

  • pwndoc
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')