CVE-2024-55653

moderate-risk

Published 2024-12-10

PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn't need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available.

Do I need to act?

0.66% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Pwndoc

Affected Vendors

Pwndoc Project

References (1)

Exploit https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal