Agentejo Cockpit CMS resetpassword NoSQLi (CVE-2020-35847)

Description

The web application uses Cockpit CMS. This version of Cockpit CMS has several NoSQL injection vulnerabilities. Successful attacks of these vulnerabilities can result in takeover of the server.

Remediation

Upgrade to the latest version of Cockpit

References

From 0 to RCE: Cockpit CMS

Related Vulnerabilities

WordPress Plugin Calendar Event Multi View SQL Injection (1.01)

WordPress Plugin Joy Of Text Lite-SMS messaging for WordPress SQL Injection (2.3.0)

WordPress Plugin FormLift for Infusionsoft Web Forms SQL Injection (7.5.17)

WordPress Plugin SEO by Squirrly SEO SQL Injection (12.3.19)

WordPress Plugin wpDataTables-WordPress Data Table, Dynamic Tables & Table Charts (Premium) Multiple Vulnerabilities (3.4.1)

Severity

High

Classification

CVE-2020-35847 CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N