STORED XSS in File Upload in cockpit-hq/cockpit

Valid

Reported on

Aug 14th 2023


Description

In the file upload, I can't upload files with extension like html,php,.. but I can upload a file with extension "inc" and that leads to stored XSS.

Proof of Concept

https://drive.google.com/file/d/1eDE63KXbZLYraDus6hSXwiT_aLDVx9ut/view?usp=sharing

Impact

Through this vulnerability, an attacker is capable to execute malicious code.

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago
nyeooo modified the report
a month ago
nyeooo modified the report
a month ago
nyeooo modified the report
a month ago
nyeooo
a month ago

Researcher


I uploaded my report to newest version(2.6.3) (still got store xss).

We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago
nyeooo modified the report
a month ago
nyeooo
a month ago

Researcher


any update for this?

Artur validated this vulnerability a month ago
nyeooo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.6.4 with commit 36d1d4 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Artur published this vulnerability a month ago
Assets.php#L140-L192 has been validated
to join this conversation