PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
CVE ID: CVE-2025-23044
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.8
Vendor: pwndoc
Product: pwndoc
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 11.68% (scored less or equal to compared to others)
EPSS Date: 2025-02-18 (when was this score calculated)