Cross-Site Scripting vulnerability in Cockpit CMS

Vulnerability

Overview CVE-2024-2001 is a stored Cross-Site Scripting (XSS) vulnerability in Cockpit CMS version 2.7.0. The root cause is insufficient sanitization of PDF files uploaded by authenticated users. An attacker can embed a malicious JavaScript payload within a PDF file, which is then stored on the server and executed in the context of the application when the file is processed upon upload [2][3].

Exploitation

Prerequisites An attacker must have a valid user account with upload privileges in Cockpit CMS. The attack is launched over the network and requires user interaction (the authenticated user uploads the crafted PDF). The vulnerability is assigned a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L, indicating a low complexity exploit but requiring authenticated access and user interaction [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the victim's browser session. This could lead to disclosure of sensitive data, session hijacking, or performing actions on behalf of the authenticated user. The impact is limited to confidentiality, integrity, and availability all rated as low [2][3].

Mitigation

As of the publication date (2024-02-29), no official patch or workaround has been provided for Cockpit CMS version 2.7.0 [3]. Administrators should restrict upload permissions to trusted users and consider applying input validation or sanitization rules for PDF files until a vendor fix is released.