Reflected xss in installation space parameter in cockpit-hq/cockpit


Reported on

Aug 19th 2023


Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an attacker injects malicious code, usually in the form of scripts, into a web application. This code is then executed by unsuspecting users who visit the affected web page. in this case the path of ./install/index.php?space=XSS is vulnerable to this attack, the line 59 takes input without any validation.

I should mention that local file enumeration is also possible using the error: <FILE> does not exist and if the file do exist we dont any error.

Proof of Concept


screen shot of xss:


An attacker could execute javascript into victim browser

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago
cockpit-hq/cockpit maintainer has acknowledged this report a month ago
Artur validated this vulnerability a month ago
10Xdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.6.4 with commit 306094 a month ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
Artur published this vulnerability a month ago
a month ago


thank you so much.

to join this conversation