Cross-Site Scripting vulnerability in Cockpit CMS

Posted date 29/02/2024
3 - Medium
Affected Resources

Cockpit CMS, version 2.7.0.


INCIBE has coordinated the publication of a medium severity vulnerability affecting Cockpit CMS version 2.7.0, a simple and lightweight standalone content management system created for small and medium-sized enterprises, which has been discovered by Sergio Román Hurtado.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-2001: 5.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L | CWE-79.

There is no reported solution at this time.

  • CVE-2024-2001: a Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.
References list