CVE-2024-55652

Name of the Vulnerable Software and Affected Versions PenDoc versions prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6

Description PenDoc is a penetration testing reporting application. An attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. By default, only users with the admin role are able to create or update templates. An attacker who can control the contents of the template document is able to execute arbitrary code on the system.

Recommendations For versions prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, update to a version that includes the commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 to resolve the issue. As a temporary workaround, consider restricting access to template creation and update functionality to minimize the risk of exploitation. Avoid using malicious docx templates until the issue is resolved.