CVE-2025-23044
Published: 20 January 2025
Summary
CVE-2025-23044 is a medium-severity CSRF (CWE-352) vulnerability in Pwndoc Project Pwndoc. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires mechanisms to protect communications session authenticity, directly mitigating CSRF by validating requests through tokens or SameSite cookies to prevent forged actions on authenticated users' behalf.
Mandates management of authenticators like session cookies, including secure attributes such as SameSite to block their transmission in cross-site requests exploited in this CVE.
Establishes and enforces secure configuration settings for web applications and cookies, addressing the missing SameSite attribute and lack of CSRF protections specified in the CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing PwnDoc web app directly enables T1190 (Exploit Public-Facing Application) for forged authenticated requests leading to unauthorized data access/modification.
NVD Description
PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the…
more
ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
Deeper analysisAI
CVE-2025-23044 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting PwnDoc, an open-source penetration test report generator. The issue stems from a lack of CSRF protection in pwndoc, including the absence of the SameSite attribute on cookies and the ability to refresh cookies. This allows attackers to send both GET and POST requests on behalf of authenticated users. The vulnerability received a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) and was published on January 20, 2025.
Attackers can exploit this vulnerability remotely over the network without requiring privileges, but it demands high attack complexity and user interaction, such as tricking a logged-in user into visiting a malicious site. Successful exploitation enables the attacker to perform actions on the victim's behalf, potentially leading to high confidentiality and integrity impacts, such as unauthorized data access or modification through forged requests.
Mitigation is available via commit 14acb704891245bf1703ce6296d62112e85aa995 in the pwndoc repository, which patches the CSRF protection deficiencies. Additional details are provided in the GitHub security advisory at GHSA-9v2v-jxvw-52rq.
Details
- CWE(s)