CVE-2020-35847

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function...

CVE-2020-35848

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function...

CVE-2020-35846

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function...

Sql injection

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function...

Sql injection

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function...

Sql injection

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function...

CVE-2020-35846

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function...

CVE-2020-35846

Agentejo Cockpit (Cockpit CMS) before version 0.11.2 is vulnerable to a NoSQL injection via the Controller/Auth.php check function. The NoSQL query using the $eq operator can allow unauthorized access and potential data exposure or manipulation. Affected versions are

CVE-2020-35848

CVE-2020-35848 affects Agentejo Cockpit prior to 0.11.2, where the NoSQL injection vulnerability exists in the Auth controller’s newpassword path. The connected sources consistently describe exploitation via /auth/resetpassword and /auth/newpassword, enabling manipulation of database queries and ...

CVE-2020-35848

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function...

CVE-2020-35847

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function...

CVE-2020-35847

CVE-2020-35847 affects Agentejo Cockpit (Cockpit CMS) versions before 0.11.2. The NoSQL injection occurs in Controller/Auth.php resetpassword (and related endpoints) allowing manipulation of NoSQL queries, which can enable user enumeration and extraction of password reset tokens, potentially enab...

PT-2020-17483 · Agentejo · Agentejo Cockpit

Name of the Vulnerable Software and Affected Versions: Agentejo Cockpit versions prior to 0.11.2 Description: The issue allows NoSQL injection via the check function in Controller/Auth.php. Recommendations: For versions prior to 0.11.2, update to version 0.11.2 or later to resolve the issue. As a...

CVE-2020-35846

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. Recent assessments: h00die at May 31, 2021 12:07pm UTC reported: noSQL injection within the /auth/requestreset API. By sending JSON.generate 'user' = '$func' = 'vardump' it causes the vardump functio...

CVE-2020-35847

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function. Recent assessments: h00die at May 31, 2021 12:11pm UTC reported: Similar to CVE-2020-35846, this is a noSQL injection using the vardump function to dump all memory for the password reset...

Agentejo Cockpit NoSQL Injection Vulnerability

Agentejo Cockpit is a self-hosted "headless" and api driven lightweight, open source content management system. A NoSQL injection vulnerability exists in Agentejo Cockpit prior to version 0.11.2. The vulnerability can be exploited to conduct a NoSQL injection attack via the Controller/Auth.php...

Agentejo Cockpit SQL注入漏洞

Agentejo Cockpit is a self-hosted "headless" and api-driven lightweight, open source content management system. A NoSQL injection vulnerability exists in Agentejo Cockpit versions prior to 0.11.2. The vulnerability can be exploited to conduct a NoSQL injection attack via the Controller/Auth.php...

CVE-2020-35666

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedosbase.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id$ne=1 value...

CVE-2020-35666

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedosbase.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id$ne=1 value...

Sql injection

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedosbase.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id$ne=1 value...