Cross-site Scripting (XSS) - Reflected in cockpit-hq/cockpit

Valid

Reported on

Aug 15th 2023


Description

Reflected Cross-Site Scripting (XSS) vulnerability allows attackers to execute arbitrary external javascript code in the browser. In the application there exists a XSS vulnerability that occurs in the api:

 Payload: "><script>alert(window.location)</script>

 GET /system/api/restApiViewer: Passing XSS payload to any param leads to XSS vulnerability.
 GET /system/api/graphqlViewer: Passing XSS payload to param `apiKey` leads to XSS vulnerability.

Proof of Concept

https://drive.google.com/file/d/1QS4ayL3Wngxd0Vqf9l8kob9pKomFJV4X/view?usp=share_link

Impact

Through the hole. attacker can execute malicious code

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. 6 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 6 months ago
Nguyen Hoan modified the report
6 months ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back 6 months ago
Artur validated this vulnerability 6 months ago
5h4s1 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.6.4 with commit 2a93d3 6 months ago
Artur has been awarded the fix bounty
This vulnerability has now been published 6 months ago
to join this conversation