Cockpit
Monthly
Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.
NoSQL injection in Cockpit-HQ Cockpit up to version 2.13.5 allows authenticated remote attackers to manipulate data query logic through the Asset Handler or Aggregate Handler components, resulting in information disclosure with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.
NoSQL injection in Cockpit-HQ Cockpit up to version 2.13.5 allows authenticated remote attackers to manipulate data query logic through the Asset Handler or Aggregate Handler components, resulting in information disclosure with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.