CVE-2025-24885
Published: 30 January 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24885 is a stored cross-site scripting (XSS) vulnerability, associated with CWE-79 and CWE-284, in the dojo component of pwn.college, an educational platform for hands-on cybersecurity learning and practice. The issue arises from missing access control on rendering custom unprivileged dojo pages, enabling users to inject and store malicious scripts that execute in the context of other users viewing those pages. The vulnerability was published on 2025-01-30 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).
Low-privileged users (PR:L), such as registered accounts on pwn.college, can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as victims accessing the affected dojo pages. Exploitation changes scope (S:C) and primarily achieves high confidentiality impact (C:H), potentially allowing attackers to steal sensitive data like session tokens or user information from victims, alongside low integrity impact (I:L) and no availability disruption (A:N).
Mitigation details are available in the GitHub security advisory for the pwn.college dojo repository at https://github.com/pwncollege/dojo/security/advisories/GHSA-8m79-rmhw-rg84.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS enables injection of scripts that execute in victim browsers to steal session tokens (T1539 Steal Web Session Cookie) and hijack sessions (T1185 Browser Session Hijacking).