CVE-2024-55652 – PwnDoc Server-Side Template Injection vulnerability - Sandbox Escape to RCE using custom filters
https://notcve.org/view.php?id=CVE-2024-55652
PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the contents of the template document is able to execute arbitrary code on the system. By default, only users with the `admin` role are able to create or update templates. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 patches the issue. • https://github.com/pwndoc/pwndoc/blob/main/backend/src/lib/report-filters.js#L258-L260 https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6 https://github.com/pwndoc/pwndoc/security/advisories/GHSA-jw5r-6927-hwpc • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-55653 – pwndoc's UnhandledPromiseRejection on audits causes Denial of Service (DoS)
https://notcve.org/view.php?id=CVE-2024-55653
PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn't need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available. • https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc • CWE-20: Improper Input Validation •
CVE-2024-55602 – PenDoc vulnerable to Arbitrary File Read on updating and downloading templates using Path Traversal
https://notcve.org/view.php?id=CVE-2024-55602
PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue. • https://gist.github.com/JorianWoltjer/8a42e25c6dfa7604020d2a226e193407 https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L103 https://github.com/pwndoc/pwndoc/blob/2e7f5747d5688b1368e549c786ce7266fe5ab2b5/backend/src/routes/template.js#L43-L47 https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6 https://github.com/pwndoc/pwndoc/security/advisories/GHSA-2mqc-gg7h-76p6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-44022
https://notcve.org/view.php?id=CVE-2022-44022
PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts. PwnDoc hasta 0.5.3 podría permitir a atacantes remotos identificar nombres de cuentas de usuario válidos aprovechando los tiempos de respuesta para los intentos de autenticación. • https://cve.nstsec.com/cve-2022-44022 https://github.com/pwndoc/pwndoc/issues/381 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2022-44023
https://notcve.org/view.php?id=CVE-2022-44023
PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts. PwnDoc hasta 0.5.3 podría permitir a atacantes remotos identificar nombres de cuentas de usuario deshabilitadas aprovechando los mensajes de respuesta para intentos de autenticación. • https://cve.nstsec.com/cve-2022-44023 https://github.com/pwndoc/pwndoc/issues/382 • CWE-307: Improper Restriction of Excessive Authentication Attempts •