CVE-2023-41564 — Unrestricted File Upload in Cockpit

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

20.1%

top 4.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cockpit-hq Cockpit Agentejo Cockpit

Timeline

PublishedSep 8

Latest updateSep 9

Description

An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Packagistcockpit-hq/cockpit2.6.3

▶NVDagentejo/cockpit2.6.3

🔴Vulnerability Details

OSV

Cockpit CMS arbitrary file upload vulnerability↗2023-09-09

▶

GHSA

Cockpit CMS arbitrary file upload vulnerability↗2023-09-09

▶

CVEList

CVE-2023-41564: An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2↗2023-09-08

▶