QwikSec

Security Database

CVE

CWE

Training

CVE-2024-25975

Published: May 29, 2024

Modified: Feb 13, 2025

PUBLISHED

Description

The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal).

Vendor	Product	Versions
Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany	HAWKI	affected `versions before commit 146967f`

Weaknesses (CWE)

References

https://r.sec-consult.com/hawki

third-party-advisory

https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1

patch

http://seclists.org/fulldisclosure/2024/May/34

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.