Faction
Monthly
Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.
Stored cross-site scripting in Faction (a penetration testing report generation and collaboration framework) versions prior to 1.8.3 allows authenticated low-privilege users to persist attacker-controlled JavaScript via attachment filenames that are later rendered without output encoding when other users preview assessment files. Because payloads execute in privileged victims' browsers under the application origin, an attacker can hijack manager or admin sessions; SSVC rates technical impact as total though EPSS sits at 0.03% (10th percentile) and no public exploit identified at time of analysis.
Stored cross-site scripting in Faction penetration testing platform versions prior to 1.8.3 allows authenticated users to inject JavaScript via crafted attachment filenames in remediation verification flows, which then executes in the browser of any user viewing the affected verification or remediation views. With CVSS scope-changed impact (S:C) and high confidentiality and integrity impact, exploitation can hijack privileged manager or assessor sessions; no public exploit identified at time of analysis and EPSS sits at 0.03% (10th percentile).
FACTION is a PenTesting Report Generation and Collaboration Framework. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.
Stored cross-site scripting in Faction (a penetration testing report generation and collaboration framework) versions prior to 1.8.3 allows authenticated low-privilege users to persist attacker-controlled JavaScript via attachment filenames that are later rendered without output encoding when other users preview assessment files. Because payloads execute in privileged victims' browsers under the application origin, an attacker can hijack manager or admin sessions; SSVC rates technical impact as total though EPSS sits at 0.03% (10th percentile) and no public exploit identified at time of analysis.
Stored cross-site scripting in Faction penetration testing platform versions prior to 1.8.3 allows authenticated users to inject JavaScript via crafted attachment filenames in remediation verification flows, which then executes in the browser of any user viewing the affected verification or remediation views. With CVSS scope-changed impact (S:C) and high confidentiality and integrity impact, exploitation can hijack privileged manager or assessor sessions; no public exploit identified at time of analysis and EPSS sits at 0.03% (10th percentile).
FACTION is a PenTesting Report Generation and Collaboration Framework. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.