Search criteria
3 vulnerabilities
CVE-2025-3014 (GCVE-0-2025-3014)
Vulnerability from cvelistv5 – Published: 2025-03-31 03:48 – Updated: 2025-03-31 13:37
VLAI?
Summary
Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Affected:
2.1.4
(custom)
Unaffected: 2.1.5 (custom) |
Credits
Hoang Anh Khoa (khoahoang329@gmail.com)
Quyen Hong Son (sonqh.kma@gmail.com)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T13:37:39.163781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T13:37:51.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tracking"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"status": "affected",
"version": "2.1.4",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hoang Anh Khoa (khoahoang329@gmail.com)"
},
{
"lang": "en",
"type": "finder",
"value": "Quyen Hong Son (sonqh.kma@gmail.com)"
}
],
"datePublic": "2025-03-31T03:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePenetration Testing \u003c/span\u003eallows an attacker to access via manipulating request parameters or object references.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references."
}
],
"impacts": [
{
"capecId": "CAPEC-27",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-27: Leveraging Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T03:52:24.208Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-28T10:00:00.000Z",
"value": "The reporter submits the vulnerability to security_report@fpt.com."
},
{
"lang": "en",
"time": "2025-03-29T02:00:00.000Z",
"value": "The security team verifies the issue and provides a fixing solution."
},
{
"lang": "en",
"time": "2025-03-30T10:00:00.000Z",
"value": "The security team releases the fix, retests the issue, and closes the vulnerability."
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "Assign a CVE to the reporter."
}
],
"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-3014",
"datePublished": "2025-03-31T03:48:12.504Z",
"dateReserved": "2025-03-31T03:27:15.991Z",
"dateUpdated": "2025-03-31T13:37:51.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3013 (GCVE-0-2025-3013)
Vulnerability from cvelistv5 – Published: 2025-03-31 03:40 – Updated: 2025-03-31 15:55
VLAI?
Summary
Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Affected:
2.1.2 , ≤ 2.1.4
(custom)
Unaffected: 2.1.5 (custom) |
Credits
Phan Quang Bao (quangbao368@gmail.com)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T15:53:42.558887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:55:30.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"portal"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"lessThanOrEqual": "2.1.4",
"status": "affected",
"version": "2.1.2",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Phan Quang Bao (quangbao368@gmail.com)"
}
],
"datePublic": "2025-03-31T03:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePenetration Testing\u0026nbsp;\u003c/span\u003eallows an attacker to access via manipulating request parameters or object references.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u00a0Penetration Testing\u00a0allows an attacker to access via manipulating request parameters or object references."
}
],
"impacts": [
{
"capecId": "CAPEC-27",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-27: Leveraging Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T03:45:01.982Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-27T10:00:00.000Z",
"value": "The reporter submits the vulnerability to security_report@fpt.com."
},
{
"lang": "en",
"time": "2025-03-28T01:00:00.000Z",
"value": "The security team verifies the issue and provides a fixing solution."
},
{
"lang": "en",
"time": "2025-03-29T08:00:00.000Z",
"value": "The security team releases the fix, retests the issue, and closes the vulnerability."
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "Assign a CVE to the reporter."
}
],
"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-3013",
"datePublished": "2025-03-31T03:40:04.534Z",
"dateReserved": "2025-03-31T03:26:43.696Z",
"dateUpdated": "2025-03-31T15:55:30.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31165 (GCVE-0-2025-31165)
Vulnerability from cvelistv5 – Published: 2025-03-27 04:00 – Updated: 2025-03-28 03:58
VLAI?
Summary
Cross-Site Scripting (XSS) vulnerability in the Logbug module of NightWolf Penetration Testing Platform 1.2.2 allows attackers to execute JavaScript through the markdown editor feature.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Affected:
1.2.2
(custom)
Unaffected: 1.2.3 (custom) |
Credits
Do Quang Dat (datdq111@gmail.com)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:36:02.883849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:36:34.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"logbug"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"status": "affected",
"version": "1.2.2",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.2.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Do Quang Dat (datdq111@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eCross-Site Scripting (XSS) vulnerability in the Logbug module of NightWolf Penetration Testing Platform 1.2.2 allows attackers to execute JavaScript through the markdown editor feature.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Cross-Site Scripting (XSS) vulnerability in the Logbug module of NightWolf Penetration Testing Platform 1.2.2 allows attackers to execute JavaScript through the markdown editor feature."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T03:58:34.636Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement secure coding practices for the markdown editor to mitigate vulnerability."
}
],
"value": "Implement secure coding practices for the markdown editor to mitigate vulnerability."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-18T08:00:00.000Z",
"value": "The reported vulnerability has been submitted for the developer\u0027s review and resolution."
},
{
"lang": "en",
"time": "2025-03-18T10:00:00.000Z",
"value": "The reported vulnerability has been triaged, verified, and submitted for the developer\u0027s review and resolution."
},
{
"lang": "en",
"time": "2025-03-19T06:00:00.000Z",
"value": "The fixed version (1.2.3) has been released and deployed to the log bug server."
},
{
"lang": "en",
"time": "2025-03-27T04:00:00.000Z",
"value": "The CVE has been officially released and assigned to the reporter."
}
],
"title": "Cross Site Scripting in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-31165",
"datePublished": "2025-03-27T04:00:55.276Z",
"dateReserved": "2025-03-27T03:51:31.693Z",
"dateUpdated": "2025-03-28T03:58:34.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}