Multiple vulnerabilities in HAWKI


Multiple vulnerabilities


HAWKI (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany)

Vulnerable Version

1.0.0-beta.1, versions before commit 146967f

Fixed Version

Github commit 146967f

CVE Number

CVE-2024-25975, CVE-2024-25976, CVE-2024-25977






Florian Stuhlmann, Thorger Jansen (Office Bochum) | SEC Consult Vulnerability Lab

HAWKI, a didactic interface for universities, suffered from three vulnerabilities, which allowed attackers to overwrite arbitrary files, execute JavaScript code in case LDAP is enabled and fixate sessions. Attackers were potentially able to take over other user accounts by exploiting these issues. (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany)


Vendor description

"HAWKI is a didactic interface for universities based on the OpenAI API. It is not necessary for users to create an account, the university ID is sufficient for login - no user-related data is stored."


Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Arbitrary File Overwrite (CVE-2024-25975)

The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal).

2) Reflected Cross-Site-Scripting (CVE-2024-25976)

When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser.

3) Session Fixation (CVE-2024-25977)

The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.

Proof of concept

1) Arbitrary File Overwrite (CVE-2024-25975)

The following POST request can overwrite the file "AvatarFinanzen.png". This file is a default file located within the "img" folder.

POST /downvote.php HTTP/2
Host: $host
Cookie: PHPSESSID=<Session Id>
Content-Type: application/x-www-form-urlencoded
Content-Length: 25


Both upvote.php and downvote.php are vulnerable. The vulnerable part in downvote.php is:

 $id = file_get_contents("php://input");
 $sanitizedId = htmlspecialchars($id, ENT_QUOTES, 'UTF-8');
 $file = "feedback/" . $sanitizedId;
 file_put_contents("feedback/$sanitizedId", json_encode($json));

2) Reflected Cross-Site-Scripting (XSS) (CVE-2024-25976)

A call to the following URL will trigger an alertbox:

https:// $host/HAWKI/login.php/"><script>alert(document.cookie)</script>

This is due to a fault in the file login.php where the content of "$_SERVER['PHP_SELF']" is reflected into the HTML of the website. Hence the attacker does not need a valid account in order to exploit this issue.

The following code is vulnerable:

 $server = $_SERVER['PHP_SELF'];
 echo '<form action = "' . $server . '" class="column" method = "post" >

The vulnerability is exploitable with the Apache2 default configuration.
For other webservers, the vulnerability might not be exploitable.

3) Session Fixation (CVE-2024-25977)

The attacker changes the value of PHPSESSID within the victim's browser to something like "abc". An attacker with the same value for PHPSESSID is now authenticated as well after the victim uses successfully logs in.

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 1.0.0-beta.1

Vendor contact timeline

2024-03-21 Contacting vendor through email referenced on Github
2024-03-22 Asking about email encryption, sending report unencrypted as requested.
2024-04-17 Asked the vendor again to receive details regarding the timeline.
2024-04-18 Vendor provides a patch pushed to the public repository.
2024-05 Fix verification phase.
2024-05-27 Release of security advisory.


The vendor provides a patch which can be downloaded from



No workaround available.


Advisory URL

EOF Florian Stuhlmann, Thorger Jansen @2024


Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices