Cross-site Scripting (Stored XSS) in cockpit-hq/cockpit


Reported on

Aug 5th 2023


For any role that has permission to execute function assets, i can upload a html file and that leads to XSS.

Proof of Concept

  1. Link PoC:
  2. Link video PoC:


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. 2 months ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago
Artur validated this vulnerability a month ago
quanghuy25112000 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.6.3 with commit 039a00 a month ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
Artur published this vulnerability a month ago
Assets.php#L140-L192 has been validated
to join this conversation