VYPR

Vendor CVEs

Agentejo

All CVEs

25 total · sorted by risk
  • CVE-2018-9302CriMay 2, 2018
    risk 0.63cvss 9.1epss 0.11

    SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for…

  • CVE-2017-14611CriApr 10, 2018
    risk 0.59cvss 9.1epss 0.02

    SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

  • CVE-2026-34965HigApr 29, 2026
    risk 0.57cvss 8.8epss 0.01

    Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can…

  • CVE-2024-2947HigMar 28, 2024
    risk 0.47cvss 7.3epss 0.01

    A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

  • CVE-2026-4802HigMay 11, 2026
    risk 0.45cvss 8.0epss 0.01

    A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell…

  • CVE-2018-11471MedMay 25, 2018
    risk 0.35cvss 5.4epss 0.01

    Cockpit 0.5.5 has XSS via a collection, form, or region.

  • CVE-2024-6126LowJul 3, 2024
    risk 0.21cvss 3.2epss 0.00

    A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.

  • CVE-2020-35131Jan 8, 2021
    risk 0.07cvss epss 0.50

    Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.

  • CVE-2020-35846Dec 30, 2020
    risk 0.04cvss epss 0.93

    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

  • CVE-2020-35847Dec 30, 2020
    risk 0.04cvss epss 0.98

    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

  • CVE-2020-35848Dec 30, 2020
    risk 0.03cvss epss 0.75

    Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

  • CVE-2024-4825May 13, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

  • CVE-2021-32857Feb 20, 2023
    risk 0.00cvss epss 0.01

    Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.

  • CVE-2021-3698Mar 8, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL)…

  • CVE-2021-3660Mar 7, 2022
    risk 0.00cvss epss 0.01

    Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

  • CVE-2020-35850Dec 30, 2020
    risk 0.00cvss epss 0.02

    An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue.

  • CVE-2020-14408Jun 17, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector.

  • CVE-2019-5106Mar 10, 2020
    risk 0.00cvss epss 0.00

    A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain…

  • CVE-2019-5107Mar 10, 2020
    risk 0.00cvss epss 0.01

    A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes…

  • CVE-2019-5158Mar 10, 2020
    risk 0.00cvss epss 0.01

    An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software v1.6.1.5. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a…

  • CVE-2019-5159Mar 10, 2020
    risk 0.00cvss epss 0.02

    An exploitable improper input validation vulnerability exists in the firmware update functionality of WAGO e!COCKPIT automation software v1.6.0.7. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers…

  • CVE-2019-3804Mar 26, 2019
    risk 0.00cvss epss 0.05

    It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to…

  • CVE-2018-15540Oct 15, 2018
    risk 0.00cvss epss 0.02

    Agentejo Cockpit performs actions on files without appropriate validation and therefore allows an attacker to traverse the file system to unintended locations and/or access arbitrary files, aka /media/api Directory Traversal.

  • CVE-2018-15539Oct 15, 2018
    risk 0.00cvss epss 0.01

    Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords, etc.

  • CVE-2018-15538Oct 15, 2018
    risk 0.00cvss epss 0.01

    Agentejo Cockpit has multiple Cross-Site Scripting vulnerabilities.