File Upload Bypass Leads to Stored XSS in cockpit-hq/cockpit

Valid

Reported on

Aug 13th 2023

Description

In the file upload feature, the system did not allow uploading files with extensions like html, ... But when uploading files with extension xhtml, it leads to XSS vulnerabilities.

Proof of Concept

https://drive.google.com/file/d/1_MTa4st4POafaUAwn17n7ygp_TrF9BXp/view?usp=sharing

Impact

Through the hole. attacker can execute malicious code

Occurrences

Assets.php L140-L192

References

https://owasp.org/www-community/attacks/xss/

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago

We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago

Artur validated this vulnerability a month ago

Nguyen Hoan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Artur marked this as fixed in 2.4.3 with commit 34ab31 a month ago

Artur has been awarded the fix bounty

This vulnerability has been assigned a CVE

Artur published this vulnerability a month ago

Assets.php#L140-L192 has been validated

to join this conversation