Lucene search

GoogleOSV:GHSA-Q76R-7P4Q-MQPW

HistoryFeb 29, 2024 - 3:32 p.m.

Cockpit CMS Cross-Site Scripting vulnerability

2024-02-2915:32:26

Google

osv.dev

cross-site scripting

cockpit cms

version 2.7.0

file upload

javascript payload

security vulnerability

pdf infection

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

CPENameOperatorVersion
cockpit-hq/cockpiteq2.7.0

CPE	Name	Operator	Version
	cockpit-hq/cockpit	eq	2.7.0

References

github.com/Cockpit-HQ/Cockpit

nvd.nist.gov/vuln/detail/CVE-2024-2001

www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cockpit-cms