CVE-2025-66022
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| factionsecurity | faction | < 1.7.1 | affected |
Weaknesses
- CWE-829: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- CWE-287: CWE-287: Improper Authentication
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w
- https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.