A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
The vulnerability results from lack of proper verification of the type and content of uploaded files in the '/media/api' parameter handled by POST request (CWE-434: Unrestricted Upload of File with Dangerous Type). An attacker, without needing any privileges, can send a POST request containing a malicious file (e.g. webshell or other executable payload) directly to the vulnerable endpoint. The server accepts and saves the uploaded file without verifying its potentially dangerous nature.
An attacker can place malicious executable files on the server, which in practice enables remote code execution (RCE) and complete takeover of the server and entire infrastructure on which the application runs.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict access to the '/media/api' endpoint at the firewall or network layer until the patch is deployed, as well as monitor the server for unauthorized files in publicly accessible directories.
Agentejo Cockpit CMS version 0.5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAgentejo Cockpit
APPAgentejo0.5.5
Related vulnerabilities
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit p...
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via reg...
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.