Advisories for Composer/Cockpit-Hq/Cockpit package

2024

Cockpit CMS contains an arbitrary file upload vulenrability

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

Cockpit CMS Cross-Site Scripting vulnerability

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

2023

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

Cross-Site Request Forgery (CSRF)

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

Cockpit CMS vulnerable to incorrect access control

Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.

Unrestricted Upload of File with Dangerous Type

Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.

Use of Platform-Dependent Third Party Components

Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.

Improper Restriction of Rendered UI Layers or Frames

Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.

Privilege Chaining

Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.

2022

Improper Removal of Sensitive Information Before Storage or Transfer

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.