We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

File Upload Bypass Leads to Stored XSS in cockpit-hq/cockpit

Valid

Reported on

Aug 15th 2023

Description

Fix at https://huntr.dev/bounties/fce38751-bfd6-484c-b6e1-935e0aa8ffdc/ is not adequate,attacker can use test.html?a=1 to bypass built-in PHP function pathinfo(). (Also can used for .php )

Proof of Concept

// payload.html?a=1
<script>alert('xss')</script>

POC Video: https://drive.google.com/file/d/1PZmAhAKMRsA2VB6fMng7UyCYn57iFdpr/view?usp=sharing

Impact

attacker can execute malicious code

Occurrences

attacker can use test.html?a=1 to bypass built-in PHP function pathinfo()

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago
ColaKumi modified the report
a month ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago
Artur validated this vulnerability a month ago
ColaKumi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.6.4 with commit 36d1d4 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Artur published this vulnerability a month ago
bootstrap.php#L90 has been validated
to join this conversation