CVE-2025-57805

The Scratch Channel's Publish Articles POST Request Can Upload Articles Without Validation

CVSS 8.7 HIGHEPSS 0.3%CWE-20

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

25 ago 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Produtos afetados

The-Scratch-Channel · tsc-web-client

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/The-Scratch-Channel/tsc-web-client/security/advisories/GHSA-h5rj-2466-qr23