CVE-2024-25975

CVE-2024-25975: Arbitrary File Overwrite

Vendor Interaction Design Team At The University Of Applied Sciences And Arts In Hildesheim/Germany
Product HAWKI
Weakness CWE-73
Published May 29, 2024
Last update February 13, 2025

CVSS base score

What the vulnerability does

01Description

The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal).

Key dates

02Disclosure timeline

May 29, 2024 CVE published
February 13, 2025 Record updated