Cross-Site Scripting vulnerability in Cockpit CMS

Posted date 29/02/2024

Importance

3 - Medium

Affected Resources

Cockpit CMS, version 2.7.0.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting Cockpit CMS version 2.7.0, a simple and lightweight standalone content management system created for small and medium-sized enterprises, which has been discovered by Sergio Román Hurtado.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2024-2001: 5.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L | CWE-79.

Solution

There is no reported solution at this time.

Detail

CVE-2024-2001: a Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

References list

Cockpit website

Etiquetas

0day
CMS
CNA
SME
Vulnerability