Home > Vulnerability Database > CVE-2024-55652

Mend.io Vulnerability Database

CVE-2024-55652

Date: December 11, 2024

PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the contents of the template document is able to execute arbitrary code on the system. By default, only users with the "admin" role are able to create or update templates. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 patches the issue.

Language: JS

Severity Score

6.5

Related Resources (5)

Url: https://github.com/pwndoc/pwndoc/blob/main/backend/src/lib/report-filters.js#L258-L260

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-55652

Url: https://github.com/pwndoc/pwndoc/security/advisories/GHSA-jw5r-6927-hwpc

Url: https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6

Url: https://www.mend.io/vulnerability-database/CVE-2024-55652

Severity Score

6.5

Weakness Type (CWE)

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-55652

Date: December 11, 2024

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?