CVE-2024-4825Unrestricted File Upload in Cockpit

CWE-434Unrestricted File Upload4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 76.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cockpit-hq CockpitAgentejo Cockpit CMSAgentejo Cockpit
Timeline
PublishedMay 14

Description

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDagentejo/cockpit0.5.5
CVEListV5agentejo/cockpit_cms0.5.5
Packagistcockpit-hq/cockpit< 2.7.0

🔴Vulnerability Details

3
OSV
Cockpit CMS contains an arbitrary file upload vulenrability2024-05-14
GHSA
Cockpit CMS contains an arbitrary file upload vulenrability2024-05-14
CVEList
Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo2024-05-13
CVE-2024-4825 — Unrestricted File Upload in Cockpit | cvebase