cbcvebase.
CVE-2020-35847
published 2020-12-30

CVE-2020-35847: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
98.29%
99.9th percentile
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

Affected

1 ranges
VendorProductVersion rangeFixed in
agentejocockpit< 0.11.20.11.2

Detection & IOCsextracted from sources · hover to see the quote

url/auth/requestreset
url/auth/resetpassword
url/auth/newpassword
command{"user": {"$func": "var_dump"}}
command{"token": {"$func": "var_dump"}}
yara
regex: 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9-.@\s-]+)"'
  • Detect NoSQL injection attempts against Cockpit CMS by monitoring POST requests to /auth/requestreset or /auth/resetpassword with JSON bodies containing '$func' operator keys (e.g., {"$func": "var_dump"}).
  • Exploit responses containing var_dump-style output (matching regex 'string\([0-9]{1,3}\)\s*"([\w-]+)"') in the HTTP body indicate successful NoSQL injection and data exfiltration of usernames or reset tokens.
  • Identify Cockpit CMS instances as attack targets using Shodan favicon hash 688609340 or FOFA icon_hash=688609340.
  • The full exploit chain targets /auth/requestreset (user enumeration), /auth/resetpassword (token dump), and /auth/newpassword (user detail extraction) in sequence — alert on rapid sequential POST requests to all three endpoints from the same source IP.
  • Content-Type: application/json is used in all exploit requests; correlate with the $func NoSQL operator in the JSON body to reduce false positives.
  • ·The vulnerability affects Cockpit CMS versions 0.10.0 through 0.11.1 inclusive; version 0.11.2 and later are patched. Ensure detection rules are scoped to these versions where version fingerprinting is available.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.