Description

The web application uses Cockpit CMS. This version of Cockpit CMS has several NoSQL injection vulnerabilities. Successful attacks of these vulnerabilities can result in takeover of the server.

Remediation

Upgrade to the latest version of Cockpit

References

From 0 to RCE: Cockpit CMS

Related Vulnerabilities

WordPress Plugin OdiHost Newsletter 'openstat.php' SQL Injection (1.0)

WordPress Plugin Mingle Forum Multiple Cross-Site Scripting and SQL Injection Vulnerabilities (1.0.32.1)

WordPress Plugin Booking Calendar SQL Injection (8.4.4)

WordPress Plugin Facebook Promotion Generator for WordPress 'fbActivate.php' SQL Injection (1.3.3)

WordPress Plugin Revive Old Post-Auto Post to Social Media 'cat' Parameter SQL Injection (3.2.5)

Severity

High

Classification

CVE-2020-35847 CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

SQL Injection