CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23044: Cross-Site Request Forgery (CSRF) allows creating admin account with POST request

6.8 CVSS

Description

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.

Classification

CVE ID: CVE-2025-23044

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

Affected Products

Vendor: pwndoc

Product: pwndoc

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-18 (when was this score calculated)

References

https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq
https://github.com/pwndoc/pwndoc/commit/14acb704891245bf1703ce6296d62112e85aa995

Timeline

2025-01-21 00:33:23 UTC
CVE

Cross-Site Request Forgery (CSRF) allows creating admin account with POST request