CVE-2021-3660

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

CVE-2023-37649

Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.

CVE-2020-35847

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

CVE-2020-35846

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

CVE-2021-3698

A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or th...

CVE-2020-35848

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

CVE-2023-4422

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVE-2023-4433

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4432

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2024-2001

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

CVE-2022-2818

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.

CVE-2023-1313

Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.

CVE-2024-4825

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

CVE-2022-2713

Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.

CVE-2023-4451

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4395

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-1160

Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.

CVE-2017-14611

SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

CVE-2023-41564

An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

CVE-2020-14408

An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector.

CVE-2023-0780

Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.

CVE-2020-35131

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.

CVE-2023-4195

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVE-2018-15540

Agentejo Cockpit performs actions on files without appropriate validation and therefore allows an attacker to traverse the file system to unintended locations and/or access arbitrary files, aka /media/api Directory Traversal.

CVE-2023-4196

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVE-2023-0759

Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.

CVE-2021-32857

Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.

CVE-2023-4321

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

CVE-2023-37650

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

CVE-2018-15539

Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords, etc.

CVE-2018-15538

Agentejo Cockpit has multiple Cross-Site Scripting vulnerabilities.

CVE-2025-7053

A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11....