cbcvebase.
CVE-2023-4451
published 2023-08-20

CVE-2023-4451: Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.27%
80.9th percentile
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Affected

3 ranges
VendorProductVersion rangeFixed in
agentejocockpit<= 2.6.3
cockpit-hqcockpit0 – 2.6.3
cockpit-hqcockpit-hq_cockpit>= unspecified < 2.6.42.6.4

Detection & IOCsextracted from sources · hover to see the quote

url/install/index.php?1692443074&space=%3Cimg%20src=1%20onerror=alert(document.domain)%3E
path/install/index.php
  • HTTP GET request to /install/index.php with a `space` parameter containing unsanitized HTML/JS payload (e.g., <img src=1 onerror=...>) triggers reflected XSS; response body contains the string 'Space :: does not exist' and Content-Type header is text/html with HTTP 200.
  • Response body match: look for the literal string 'Space :: does not exist' to confirm the vulnerable code path was reached.
  • Shodan fingerprinting queries for exposed Cockpit instances: html:"Cockpit", http.favicon.hash:688609340, http.html:"cockpit".
  • FOFA fingerprinting queries for exposed Cockpit instances: icon_hash=688609340, body="cockpit".
  • ·Vulnerability affects cockpit-hq/cockpit versions prior to 2.6.4 only; the install interface (/install/index.php) must be publicly accessible for exploitation.
  • ·The attack is unauthenticated and targets the installation interface; if the install path is removed or restricted post-installation, the attack surface is eliminated.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.