Cockpit Arbitrary File Upload
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
Advisories for Composer/Cockpit-Hq/Cockpit package
2025
2024
Cockpit CMS contains an arbitrary file upload vulenrability
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
Cockpit CMS Cross-Site Scripting vulnerability
A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.
2023
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
Cross-Site Request Forgery (CSRF)
A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.
Cockpit CMS vulnerable to incorrect access control
Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.
Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.
Use of Platform-Dependent Third Party Components
Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.
Improper Restriction of Rendered UI Layers or Frames
Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.
Privilege Chaining
Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.
2022
Improper Removal of Sensitive Information Before Storage or Transfer
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.