CVE-2024-2001 Cross-Site Scripting vulnerability in Cockpit CMS

2024-02-2913:30:54

CWE-79

INCIBE

www.cve.org

cve-2024-2001

cross-site scripting

cockpit cms

infected pdf

javascript payload

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

9.0%

JSON

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Cockpit CMS",
    "vendor": "Cockpit CMS",
    "versions": [
      {
        "status": "affected",
        "version": "2.7.0"
      }
    ]
  }
]