A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire...
9.8CVSS
7.2AI Score
0.0004EPSS
An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml...
6.1CVSS
6.6AI Score
0.001EPSS
A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator...
8.8CVSS
9AI Score
0.001EPSS
Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive...
7.5CVSS
7.4AI Score
0.001EPSS
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset...
9.8CVSS
9.7AI Score
0.734EPSS
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword...
9.8CVSS
9.6AI Score
0.786EPSS
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword...
9.8CVSS
9.5AI Score
0.791EPSS
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check...
9.8CVSS
9.4AI Score
0.813EPSS
An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack...
6.1CVSS
6.8AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords,...
8.8CVSS
6.7AI Score
0.001EPSS
Agentejo Cockpit performs actions on files without appropriate validation and therefore allows an attacker to traverse the file system to unintended locations and/or access arbitrary files, aka /media/api Directory...
9.8CVSS
6.8AI Score
0.006EPSS
SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents...
9.1CVSS
9AI Score
0.007EPSS