VYPR
Vendor

Agentejo

Products
1
CVEs
25
Across products
25
Status
Private

Products

1

Recent CVEs

25
View all 25 CVEs →
  • CVE-2018-9302CriMay 2, 2018
    risk 0.63cvss 9.1epss 0.11

    SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for…

  • CVE-2017-14611CriApr 10, 2018
    risk 0.59cvss 9.1epss 0.02

    SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

  • CVE-2026-34965HigApr 29, 2026
    risk 0.57cvss 8.8epss 0.01

    Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can…

  • CVE-2024-2947HigMar 28, 2024
    risk 0.47cvss 7.3epss 0.01

    A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

  • CVE-2026-4802HigMay 11, 2026
    risk 0.45cvss 8.0epss 0.01

    A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell…

  • CVE-2018-11471MedMay 25, 2018
    risk 0.35cvss 5.4epss 0.01

    Cockpit 0.5.5 has XSS via a collection, form, or region.

  • CVE-2024-6126LowJul 3, 2024
    risk 0.21cvss 3.2epss 0.00

    A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.

  • CVE-2020-35131Jan 8, 2021
    risk 0.07cvss epss 0.50

    Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.

  • CVE-2020-35846Dec 30, 2020
    risk 0.04cvss epss 0.93

    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

  • CVE-2020-35847Dec 30, 2020
    risk 0.04cvss epss 0.98

    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

  • CVE-2020-35848Dec 30, 2020
    risk 0.03cvss epss 0.75

    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

  • CVE-2024-4825May 13, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

  • CVE-2021-32857Feb 20, 2023
    risk 0.00cvss epss 0.01

    Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.

  • CVE-2021-3698Mar 8, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL)…

  • CVE-2021-3660Mar 7, 2022
    risk 0.00cvss epss 0.01

    Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

  • CVE-2020-35850Dec 30, 2020
    risk 0.00cvss epss 0.02

    An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue.

  • CVE-2020-14408Jun 17, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector.

  • CVE-2019-5106Mar 10, 2020
    risk 0.00cvss epss 0.00

    A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain…

  • CVE-2019-5107Mar 10, 2020
    risk 0.00cvss epss 0.01

    A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes…

  • CVE-2019-5158Mar 10, 2020
    risk 0.00cvss epss 0.01

    An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software v1.6.1.5. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a…