Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo

Posted date 13/05/2024
5 - Critical
Affected Resources

Cockpit CMS, versión 0.5.5.


INCIBE has coordinated the publication of 1 vulnrability that affects Cockpit CMS from Agentejo, Cockpit provides a straightforward way to manage content for various applications, especially when you need a flexible structure and a simple API to fetch content, version 0.5.5 with critical severity which has been discovered by Rafael Pedrero.

This vulnerability have been assigned the following code, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-4825: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-434

Update to version 2.7.0.


CVE-2023-0057: A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

References list