Miggo Logo
Miggo Vulnerability Database
CVE-2023-0780

CVE-2023-0780: Improper Restriction of Rendered UI Layers or Frames in cockpit-hq/cockpit

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0780
GHSA ID
GHSA-gm7m-rqf8-jx4m
EPSS Score
0.39203%
CWE
CWE-1021
Published
2/11/2023
Updated
2/22/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
cockpit-hq/cockpitcomposer< 2.3.92.3.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing X-Frame-Options headers in HTTP responses. The patch adds this header in the 'after' event handler in modules/App/admin.php. The anonymous function handling this event in vulnerable versions failed to implement frame restrictions, making UI layers susceptible to embedding via iframes. This matches CWE-1021's description of improper UI layer restriction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r R*stri*tion o* R*n**r** UI L*y*rs or *r*m*s in *it*u* r*pository *o*kpit-*q/*o*kpit prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* X-*r*m*-Options *****rs in *TTP r*spons*s. T** p*t** ***s t*is *****r in t** '**t*r' *v*nt **n*l*r in mo*ul*s/*pp/**min.p*p. T** *nonymous *un*tion **n*lin* t*is *v*nt in vuln*r**l* v*rsions **il** to impl*m*nt *r