-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing CSRF token validation in admin API endpoints. The unzip function (Finder API) and Assets API's upload logic are explicitly described in the exploit analysis as lacking CSRF checks, allowing forged requests. The patch in v2.6.0 added CSRF validation to internal API calls, confirming these functions were vulnerable. The unzip function's exploitability via CSRF-to-RCE and the Assets API's SVG upload race condition are both well-documented in the provided technical analysis.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cockpit-hq/cockpit | composer | < 2.6.0 | 2.6.0 |