Lucene search

Veracode Vulnerability DatabaseVERACODE:45719

HistoryMar 01, 2024 - 9:33 a.m.

Cross Site Scripting(XSS)

2024-03-0109:33:07

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cockpit

cross site scripting

input validation

authenticated user

pdf file

javascript payload

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

cockpit-hq/cockpit is vulnerable to Cross Site Scripting(XSS). The vulnerability is due to inadequate input validation, allowing an authenticated user to upload a PDF file containing a malicious JavaScript payload, which is executed upon file upload.

CPENameOperatorVersion
cockpit-hq/cockpitle2.7.0
cockpit-hq/cockpitle2.7.0

CPE	Name	Operator	Version
	cockpit-hq/cockpit	le	2.7.0
	cockpit-hq/cockpit	le	2.7.0

References

github.com/advisories/GHSA-q76r-7p4q-mqpw

www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cockpit-cms