cbcvebase.
CVE-2020-35848
published 2020-12-30

CVE-2020-35848: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.99%
99.4th percentile
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

Affected

1 ranges
VendorProductVersion rangeFixed in
agentejocockpit< 0.11.20.11.2

Detection & IOCsextracted from sources · hover to see the quote

url/auth/newpassword
url/auth/resetpassword
url/auth/requestreset
command{"token": {"$func": "var_dump"}}
command{"token":{"$func":"var_dump"}}
command{"user":{"$func":"var_dump"}}
otherhttp.favicon.hash:688609340
  • POST request to /auth/newpassword with a JSON body containing a MongoDB operator key '$func' with value 'var_dump' is the canonical exploit payload for this CVE.
  • Successful exploitation produces a response body matching the regex pattern 'string\([0-9]{1,3}\)(\s)?"rp-([a-f0-9-]+)"' — a PHP var_dump output of a reset token prefixed with 'rp-'.
  • Shodan fingerprint for Cockpit CMS instances: favicon hash 688609340. Use to identify exposed targets.
  • FOFA fingerprint for Cockpit CMS: icon_hash=688609340 or body contains 'cockpit'.
  • All exploit requests use Content-Type: application/json — inspect POST bodies to /auth/* endpoints for JSON objects containing MongoDB operator keys (e.g., $func, $gt, $ne) as injection indicators.
  • ·The nuclei template targets Cockpit versions prior to 0.12.0; NVD lists the patched version as 0.11.2. Ensure detection coverage spans both version boundaries.
  • ·The exploit script (exploit-db 50185) covers CVE-2020-35847 (requestreset endpoint) AND CVE-2020-35848 (newpassword endpoint) in a single chain — detections should account for multi-step attack sequences across all three /auth/* endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.