Cross-Site Scripting vulnerability in Cockpit CMS
Posted date 29/02/2024
Identificador
INCIBE-2024-0108
Importance
3 - Medium
Affected Resources
Cockpit CMS, version 2.7.0.
Description
INCIBE has coordinated the publication of a medium severity vulnerability affecting Cockpit CMS version 2.7.0, a simple and lightweight standalone content management system created for small and medium-sized enterprises, which has been discovered by Sergio Román Hurtado.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-2001: 5.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L | CWE-79.
Solution
There is no reported solution at this time.
Detail
- CVE-2024-2001: a Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.
References list