Cockpit CMS 0.13.0 Cross Site Scripting

Cockpit CMS 0.13.0 Cross Site Scripting

Cockpit CMS 0.13.0 - Multiple Cockpit CMS 0.13.0 Cross Site Scripting

Cockpit CMS 0.13.0 - Multiple Reflected XSS
Advisory ID: RO-16-003
Severity: Medium
Vendor: Cockpit
Product: Cockpit CMS
Version: 0.13.0


Overview #

Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML.


Vulnerability Details #

Affected Versions: 0.13.0 and earlier

Location: /collections/entries/ and /mediamanager/api endpoints

Affected Parameters: filter and path

Root Cause: Insufficient input validation and output encoding on multiple parameters allows XSS attacks.


Exploitation Requirements #

No authentication required
Victim must visit crafted URLs

Impact #

Remote attackers can exploit these vulnerabilities to:

Steal admin session cookies
Perform actions on behalf of users
Access CMS data

Proof of Concept #

GET /cockpit-0.13.0/collections/entries/{HASH}&filter='"--></style></scRipt><scRipt>alert(0x0032AA)</scRipt> HTTP/1.1
Host: target.com

POST /cockpit-0.13.0/mediamanager/api HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

path=><iMg src=N onerror=alert(9)>



Solution #

Upgrade to a patched version of Cockpit CMS that includes proper input sanitization and output encoding.


References #

Invicti Advisory NS-16-015

Timeline:

[2016-09-19] - Advisory released

Credits: Omar Kurt