References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

http://seclists.org/fulldisclosure/2024/May/34

https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1

https://r.sec-consult.com/hawki

CISA-ADP AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

SEC Consult Vulnerability Lab http://seclists.org/fulldisclosure/2024/May/34 [No types assigned]

The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal).

SEC Consult Vulnerability Lab CWE-73

SEC Consult Vulnerability Lab https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1 [No types assigned]

SEC Consult Vulnerability Lab https://r.sec-consult.com/hawki [No types assigned]