Agentejo
Products
1- 25 CVEs
Recent CVEs
25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-9302 | Cri | 0.63 | 9.1 | 0.11 | May 2, 2018 | SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for… | ||
| CVE-2017-14611 | Cri | 0.59 | 9.1 | 0.02 | Apr 10, 2018 | SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component. | ||
| CVE-2026-34965 | Hig | 0.57 | 8.8 | 0.01 | Apr 29, 2026 | Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can… | ||
| CVE-2024-2947 | Hig | 0.47 | 7.3 | 0.01 | Mar 28, 2024 | A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. | ||
| CVE-2026-4802 | Hig | 0.45 | 8.0 | 0.01 | May 11, 2026 | A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell… | ||
| CVE-2018-11471 | Med | 0.35 | 5.4 | 0.01 | May 25, 2018 | Cockpit 0.5.5 has XSS via a collection, form, or region. | ||
| CVE-2024-6126 | Low | 0.21 | 3.2 | 0.00 | Jul 3, 2024 | A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack. | ||
| CVE-2020-35131 | 0.07 | — | 0.50 | Jan 8, 2021 | Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI. | |||
| CVE-2020-35846 | 0.04 | — | 0.93 | Dec 30, 2020 | Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. | |||
| CVE-2020-35847 | 0.04 | — | 0.98 | Dec 30, 2020 | Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function. | |||
| CVE-2020-35848 | 0.03 | — | 0.75 | Dec 30, 2020 | Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function. | |||
| CVE-2024-4825 | 0.00 | — | 0.01 | May 13, 2024 | A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure. | |||
| CVE-2021-32857 | 0.00 | — | 0.01 | Feb 20, 2023 | Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue. | |||
| CVE-2021-3698 | 0.00 | — | 0.01 | Mar 8, 2022 | A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL)… | |||
| CVE-2021-3660 | 0.00 | — | 0.01 | Mar 7, 2022 | Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. | |||
| CVE-2020-35850 | 0.00 | — | 0.02 | Dec 30, 2020 | An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue. | |||
| CVE-2020-14408 | 0.00 | — | 0.03 | Jun 17, 2020 | An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector. | |||
| CVE-2019-5106 | 0.00 | — | 0.00 | Mar 10, 2020 | A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain… | |||
| CVE-2019-5107 | 0.00 | — | 0.01 | Mar 10, 2020 | A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes… | |||
| CVE-2019-5158 | 0.00 | — | 0.01 | Mar 10, 2020 | An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software v1.6.1.5. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a… |
- risk 0.63cvss 9.1epss 0.11
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for…
- risk 0.59cvss 9.1epss 0.02
SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.
- risk 0.57cvss 8.8epss 0.01
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can…
- risk 0.47cvss 7.3epss 0.01
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
- risk 0.45cvss 8.0epss 0.01
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell…
- risk 0.35cvss 5.4epss 0.01
Cockpit 0.5.5 has XSS via a collection, form, or region.
- risk 0.21cvss 3.2epss 0.00
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
- CVE-2020-35131Jan 8, 2021risk 0.07cvss —epss 0.50
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
- CVE-2020-35846Dec 30, 2020risk 0.04cvss —epss 0.93
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
- CVE-2020-35847Dec 30, 2020risk 0.04cvss —epss 0.98
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
- CVE-2020-35848Dec 30, 2020risk 0.03cvss —epss 0.75
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
- CVE-2024-4825May 13, 2024risk 0.00cvss —epss 0.01
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
- CVE-2021-32857Feb 20, 2023risk 0.00cvss —epss 0.01
Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
- CVE-2021-3698Mar 8, 2022risk 0.00cvss —epss 0.01
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL)…
- CVE-2021-3660Mar 7, 2022risk 0.00cvss —epss 0.01
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
- CVE-2020-35850Dec 30, 2020risk 0.00cvss —epss 0.02
An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue.
- CVE-2020-14408Jun 17, 2020risk 0.00cvss —epss 0.03
An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector.
- CVE-2019-5106Mar 10, 2020risk 0.00cvss —epss 0.00
A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain…
- CVE-2019-5107Mar 10, 2020risk 0.00cvss —epss 0.01
A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes…
- CVE-2019-5158Mar 10, 2020risk 0.00cvss —epss 0.01
An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software v1.6.1.5. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a…