cbcvebase.
CVE-2020-35846
published 2020-12-30

CVE-2020-35846: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.20%
99.8th percentile
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

Affected

1 ranges
VendorProductVersion rangeFixed in
agentejocockpit< 0.11.20.11.2

Detection & IOCsextracted from sources · hover to see the quote

url/auth/check
commandPOST /auth/check with body {"auth":{"user":{"$eq":"admin"},"password":[0]}}
  • HTTP response body contains the string 'password_verify() expects parameter' when the NoSQL injection payload is successful against /auth/check
  • Exploit sends a POST request to /auth/check with Content-Type: application/json and a NoSQL $eq operator payload in the 'auth' field to bypass authentication
  • Shodan fingerprint for Cockpit CMS instances: search for http.favicon.hash:688609340 or http.html:"cockpit"
  • FOFA fingerprint for Cockpit CMS instances: icon_hash=688609340 or body="cockpit"
  • Metasploit module exploits NoSQLi to retrieve user list and password reset tokens, then uses command injection for RCE — all via HTTP against Cockpit CMS 0.10.0–0.11.1
  • NoSQL injection payload using $func operator sent to /auth/requestreset endpoint to enumerate usernames
  • NoSQL injection payload using $func operator sent to /auth/resetpassword endpoint to dump password reset tokens
  • Response pattern to detect successful username enumeration via NoSQLi: regex matches 'string(<N>) "<username>"' in the HTTP response body
  • ·Vulnerability affects Cockpit CMS versions 0.10.0 through 0.11.1 inclusive; version 0.11.2 and later are patched
  • ·The injection point is the Controller/Auth.php check function; the $eq and $func NoSQL operators are the primary attack vectors

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.