Lucene search

Cockpit Security Vulnerabilities

cve

CVE-2017-14611

SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

9.1CVSS

9AI Score

0.007EPSS

2018-04-10 03:29 PM

cve

CVE-2018-15538

Agentejo Cockpit has multiple Cross-Site Scripting vulnerabilities.

6.1CVSS

6.2AI Score

0.001EPSS

2018-10-15 07:29 PM

cve

CVE-2018-15539

Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords, etc.

8.8CVSS

8.5AI Score

0.001EPSS

2018-10-15 07:29 PM

cve

CVE-2018-15540

Agentejo Cockpit performs actions on files without appropriate validation and therefore allows an attacker to traverse the file system to unintended locations and/or access arbitrary files, aka /media/api Directory Traversal.

9.8CVSS

9.3AI Score

0.004EPSS

2018-10-15 07:29 PM

cve

CVE-2020-14408

An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector.

6.1CVSS

6.2AI Score

0.001EPSS

2020-06-17 08:15 PM

cve

CVE-2020-35131

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.

9.8CVSS

9.7AI Score

0.675EPSS

2021-01-08 05:15 PM

cve

CVE-2020-35846

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

9.8CVSS

9.4AI Score

0.878EPSS

2020-12-30 01:15 AM

118

cve

CVE-2020-35847

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

9.8CVSS

9.4AI Score

0.836EPSS

2020-12-30 01:15 AM

119

cve

CVE-2020-35848

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

9.8CVSS

9.5AI Score

0.846EPSS

2020-12-30 01:15 AM

115

cve

CVE-2021-32857

Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.

6.1CVSS

5.9AI Score

0.001EPSS

2023-02-21 03:15 PM

cve

CVE-2022-2713

Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.

9.8CVSS

9.4AI Score

0.002EPSS

2022-08-08 03:15 PM

cve

CVE-2022-2818

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.

9.8CVSS

8.7AI Score

0.001EPSS

2022-08-15 11:21 AM

cve

CVE-2023-0759

Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.

8.8CVSS

5.6AI Score

0.001EPSS

2023-02-09 02:15 PM

cve

CVE-2023-0780

Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.

5.4CVSS

4.4AI Score

0.001EPSS

2023-02-11 02:20 AM

cve

CVE-2023-1160

Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.

5.5CVSS

4.9AI Score

0.0005EPSS

2023-03-03 02:15 AM

cve

CVE-2023-1313

Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.

8.8CVSS

7.3AI Score

0.001EPSS

2023-03-10 12:15 PM

cve

CVE-2023-37649

Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.

7.5CVSS

7.4AI Score

0.002EPSS

2023-07-20 08:15 PM

134

cve

CVE-2023-37650

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

8.8CVSS

8.9AI Score

0.001EPSS

2023-07-20 08:15 PM

cve

CVE-2023-41564

An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

6.1CVSS

6.6AI Score

0.001EPSS

2023-09-08 11:15 PM

cve

CVE-2023-4195

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

8.8CVSS

8.7AI Score

0.002EPSS

2023-08-06 06:15 PM

cve

CVE-2023-4196

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

5.4CVSS

5.5AI Score

0.001EPSS

2023-08-06 06:15 PM

cve

CVE-2023-4321

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

6.1CVSS

6.1AI Score

0.001EPSS

2023-08-14 11:15 AM

cve

CVE-2023-4395

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

5.4CVSS

5.5AI Score

0.001EPSS

2023-08-17 04:15 AM

cve

CVE-2023-4422

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

4.8CVSS

5AI Score

0.001EPSS

2023-08-18 07:15 PM

113

cve

CVE-2023-4432

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

6.1CVSS

6.2AI Score

0.001EPSS

2023-08-19 01:15 AM

109

cve

CVE-2023-4433

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

5.4CVSS

5.5AI Score

0.001EPSS

2023-08-19 01:15 AM

111

cve

CVE-2023-4451

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

6.1CVSS

6AI Score

0.002EPSS

2023-08-20 03:15 PM

cve

CVE-2024-4825

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

9.8CVSS

9.4AI Score

0.0004EPSS

2024-05-14 03:45 PM