Critical severityNVD Advisory· Published May 13, 2024· Updated Aug 1, 2024

Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo

CVE-2024-4825

Description

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unrestricted file upload in Cockpit CMS v0.5.5 allows remote attackers to upload arbitrary files, leading to full server compromise.

Vulnerability

CVE-2024-4825 is an arbitrary file upload vulnerability found in Agentejo Cockpit CMS version 0.5.5. The flaw exists in the /media/api parameter, which accepts file uploads via POST requests without proper validation of file type or content [1]. This allows an attacker to upload any file, including executable scripts.

Attack

Vector No authentication or special privileges are required to exploit this vulnerability. An attacker can send a straightforward POST request to the /media/api endpoint from any network-accessible location. The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical) [3], indicating high exploitability and minimal required access.

Impact

Successful exploitation enables an attacker to upload malicious files such as web shells or backdoors. This can lead to arbitrary code execution on the server, data exfiltration, and full compromise of the affected infrastructure. The integrity, confidentiality, and availability of the system are all at risk [1][3].

Mitigation

The vulnerability is addressed in Cockpit CMS version 2.7.0 [3]. Users of version 0.5.5 should update immediately to this or a later release. As of the publication date, no workarounds have been identified, and upgrading is the recommended and only solution.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cockpit-hq/cockpitPackagist	< 2.7.0	2.7.0

Affected products

ghsa-coords
pkg:composer/cockpit-hq/cockpit
Range: < 2.7.0
Agentejo/Cockpit CMSv5
Range: 0.5.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vpj8-xfqc-jcv9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-4825ghsaADVISORY
www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cmsghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000