Vulnerability Description
The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal).
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2024/May/34
- https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffe
- https://r.sec-consult.com/hawki
- http://seclists.org/fulldisclosure/2024/May/34
- https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffe
- https://r.sec-consult.com/hawki
FAQ
What is CVE-2024-25975?
CVE-2024-25975 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The f...
How severe is CVE-2024-25975?
CVE-2024-25975 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-25975?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.