📄 Cockpit CMS 0.13.0 Cross Site Scripting

Cockpit CMS 0.13.0 - Multiple Reflected XSS
    Advisory ID: RO-16-003
    Severity: Medium
    Vendor: Cockpit
    Product: Cockpit CMS
    Version: 0.13.0
    
    
    Overview #
    
    Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
    
    
    Vulnerability Details #
    
    Affected Versions: 0.13.0 and earlier
    
    Location: /collections/entries/ and /mediamanager/api endpoints
    
    Affected Parameters: filter and path
    
    Root Cause: Insufficient input validation and output encoding on multiple parameters allows XSS attacks.
    
    
    Exploitation Requirements #
    
        No authentication required
        Victim must visit crafted URLs
    
    Impact #
    
    Remote attackers can exploit these vulnerabilities to:
    
        Steal admin session cookies
        Perform actions on behalf of users
        Access CMS data
    
    Proof of Concept #
    
    GET /cockpit-0.13.0/collections/entries/{HASH}&filter='"--></style></scRipt><scRipt>alert(0x0032AA)</scRipt> HTTP/1.1
    Host: target.com
    
    POST /cockpit-0.13.0/mediamanager/api HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    path=><iMg src=N onerror=alert(9)>
    
    
    
    Solution #
    
    Upgrade to a patched version of Cockpit CMS that includes proper input sanitization and output encoding.
    
    
    References #
    
        Invicti Advisory NS-16-015
    
    Timeline:
    
        [2016-09-19] - Advisory released
    
    Credits: Omar Kurt