PT-2025-4789 · Pwndoc · Pwndoc
Jorianwoltjer
·
Published
2025-01-20
·
Updated
2025-01-20
·
CVE-2025-23044
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
PwnDoc versions prior to the version that includes commit 14acb704891245bf1703ce6296d62112e85aa995
Description
PwnDoc is a penetration test report generator that lacks CSRF protection, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies.
Recommendations
For versions prior to the version that includes commit 14acb704891245bf1703ce6296d62112e85aa995, update to a version that includes this commit to resolve the issue. As a temporary workaround, consider implementing additional security measures to protect against CSRF attacks, such as validating request origins or using a CSRF token.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pwndoc