CVE-2025-57805

The Scratch Channel's Publish Articles POST Request Can Upload Articles Without Validation

CVSS 8.7 HIGHEPSS 0.3%CWE-20

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

25 ago 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Productos afectados

The-Scratch-Channel · tsc-web-client

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/The-Scratch-Channel/tsc-web-client/security/advisories/GHSA-h5rj-2466-qr23