CVE-2024-4825 – cockpit-hq/cockpit

Package

Manager: composer
Name: cockpit-hq/cockpit
Vulnerable Version: >=0 <2.7.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00077 pctl0.23629

Details

Cockpit CMS contains an arbitrary file upload vulenrability A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

Metadata

Created: 2024-05-14T18:30:57Z
Modified: 2024-05-14T21:40:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vpj8-xfqc-jcv9/GHSA-vpj8-xfqc-jcv9.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-vpj8-xfqc-jcv9
Finding: F027
Auto approve: 1