cbcvebase.

Agentejo Cockpit vulnerabilities

33 known vulnerabilities affecting agentejo/cockpit.

Total CVEs
33
CISA KEV
0
Public exploits
6
Exploited in wild
1
Severity breakdown
CRITICAL7HIGH9MEDIUM16LOW1

Vulnerabilities

Page 1 of 2
CVE-2020-35131P1CRITICALCVSS 9.8ExploitedPoCfixed in 0.6.12021-01-08
CVE-2020-35131 [CRITICAL] CWE-94 CVE-2020-35131: Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Executi Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
nvd
CVE-2020-35847P1CRITICALCVSS 9.8PoCfixed in 0.11.22020-12-30
CVE-2020-35847 [CRITICAL] CWE-89 CVE-2020-35847: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword func Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
nvd
CVE-2020-35846P1CRITICALCVSS 9.8PoCfixed in 0.11.22020-12-30
CVE-2020-35846 [CRITICAL] CWE-89 CVE-2020-35846: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
nvd
CVE-2020-35848P1CRITICALCVSS 9.8PoCfixed in 0.11.22020-12-30
CVE-2020-35848 [CRITICAL] CWE-89 CVE-2020-35848: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword functi Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
nvd
CVE-2024-4825P2CRITICALCVSS 9.8v0.5.52024-05-14
CVE-2024-4825 [CRITICAL] CWE-434 CVE-2024-4825: A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary fil A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
nvd
CVE-2020-14408P3MEDIUMCVSS 6.1PoCv0.10.22020-06-17
CVE-2020-14408 [MEDIUM] CWE-79 CVE-2020-14408: An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector.
nvd
CVE-2023-4451P3MEDIUMCVSS 6.1PoC≤ 2.6.32023-08-20
CVE-2023-4451 [MEDIUM] CWE-79 CVE-2023-4451: Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
nvd
CVE-2017-14611P3CRITICALCVSS 9.1v0.13.02018-04-10
CVE-2017-14611 [CRITICAL] CWE-918 CVE-2017-14611: SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.
nvd
CVE-2023-1313P3HIGHCVSS 8.8≤ 2.4.02023-03-10
CVE-2023-1313 [HIGH] CWE-434 CVE-2023-1313: Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4 Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.
nvd
CVE-2023-4195P3HIGHCVSS 8.8fixed in 2.6.32023-08-06
CVE-2023-4195 [HIGH] CWE-98 CVE-2023-4195: PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
nvd
CVE-2026-31891P3MEDIUMCVSS 6.5fixed in 2.13.52026-03-18
CVE-2026-31891 [MEDIUM] CWE-89 CVE-2026-31891: Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users
nvd
CVE-2019-3804P3HIGHCVSS 7.5≥ 0, < 184-12019-03-26
CVE-2019-3804 [HIGH] CVE-2019-3804: It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
osv
CVE-2023-37649P3HIGHCVSS 7.5≤ 2.5.22023-07-20
CVE-2023-37649 [HIGH] CVE-2023-37649: Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.
nvd
CVE-2022-2818P3HIGHCVSS 8.8fixed in 2.2.22022-08-15
CVE-2022-2818 [HIGH] CWE-212 CVE-2022-2818: Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.
nvd
CVE-2021-3698P3HIGHCVSS 7.5≥ 0, < 260-12022-03-10
CVE-2021-3698 [HIGH] CVE-2021-3698: A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daem A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate
osv
CVE-2023-0759P3HIGHCVSS 8.8fixed in 2.3.82023-02-09
CVE-2023-0759 [HIGH] CWE-268 CVE-2023-0759: Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8. Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.
nvd
CVE-2024-2947P3HIGHCVSS 7.3≥ 0, < 287.1-0+deb12u1≥ 0, < 314-12024-03-28
CVE-2024-2947 [HIGH] CVE-2024-2947: A flaw was found in Cockpit A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
osv
CVE-2023-37650P3HIGHCVSS 8.8≤ 2.5.22023-07-20
CVE-2023-37650 [HIGH] CWE-352 CVE-2023-37650: A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to ex A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.
nvd
CVE-2022-2713P3CRITICALCVSS 9.8fixed in 2.2.02022-08-08
CVE-2022-2713 [CRITICAL] CWE-613 CVE-2022-2713: Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.
nvd
CVE-2023-41564P3MEDIUMCVSS 6.1v2.6.32023-09-08
CVE-2023-41564 [MEDIUM] CWE-434 CVE-2023-41564: An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows att An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.
nvd
Agentejo Cockpit vulnerabilities | cvebase