The Scratch Channel’s Publish Articles POST Request Can Upload Articles...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2.

Basic Information

ID CVE-2025-57805

Source GitHub_M

Published Aug 25, 2025 at 21:15

Affected Product

Vendor The-Scratch-Channel

Product tsc-web-client

Version >= 1, < 1.2

Affected Versions The-Scratch-Channel tsc-web-client >= 1, < 1.2

CWE Classification

CWE-20

References

github.com /The-Scratch-Channel/tsc-web-client/security/advisories/GHSA-h5rj-2466-qr23

{
    "lastseen": "",
    "description": "The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2.",
    "published": "2025-08-25T21:15:50.878Z",
    "modified": "2025-08-25T21:15:50.878Z",
    "type": "cve",
    "title": "The Scratch Channel's Publish Articles POST Request Can Upload Articles Without Validation",
    "source": "GitHub_M",
    "references": "https://github.com/The-Scratch-Channel/tsc-web-client/security/advisories/GHSA-h5rj-2466-qr23",
    "id": "CVE-2025-57805",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "The-Scratch-Channel tsc-web-client >= 1, < 1.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tsc-web-client",
    "version": ">= 1, < 1.2",
    "vendor": "The-Scratch-Channel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

The Scratch Channel’s Publish Articles POST Request Can Upload Articles Without Validation_CVE-2025-57805