Cross-site Scripting (XSS) - Reflected in cockpit-hq/cockpit

Valid

Reported on

Aug 15th 2023

Description

Reflected Cross-Site Scripting (XSS) vulnerability allows attackers to execute arbitrary external javascript code in the browser. In the application there exists a XSS vulnerability that occurs in the api:

 Payload: "><script>alert(window.location)</script>

 GET /system/api/restApiViewer: Passing XSS payload to any param leads to XSS vulnerability.
 GET /system/api/graphqlViewer: Passing XSS payload to param `apiKey` leads to XSS vulnerability.

Proof of Concept

https://drive.google.com/file/d/1QS4ayL3Wngxd0Vqf9l8kob9pKomFJV4X/view?usp=share_link

Impact

Through the hole. attacker can execute malicious code

References

https://owasp.org/www-community/attacks/xss/

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago

Nguyen Hoan modified the report

a month ago

We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago

Artur validated this vulnerability a month ago

Nguyen Hoan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Artur marked this as fixed in 2.6.4 with commit 2a93d3 a month ago

Artur has been awarded the fix bounty

This vulnerability has been assigned a CVE

Artur published this vulnerability a month ago

to join this conversation