CVE-2025-24885

Published: Jan 30, 2025Modified: Jan 30, 2025

7.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Exploitability: 2.3 / Impact: 4.7

Source: security-advisories@github.com (Secondary)

Description

pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Missing access control on rendering custom (unprivileged) dojo pages causes ability for users to create stored XSS.

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://github.com/pwncollege/dojo/security/advisories/GHSA-8m79-rmhw-rg84

Source: security-advisories@github.com

Timeline

No history available yet.