Miggo Logo

CVE-2023-4395: Cockpit Cross-site Scripting vulnerability

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.29965%
Published
8/17/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cockpit-hq/cockpitcomposer<= 2.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch changes two critical aspects: 1) Uses tmp_name for mime detection instead of user-controlled filename 2) Uses parse_url to safely extract extensions. The original code's pathinfo($_file, PATHINFO_EXTENSION) was vulnerable to manipulation via crafted filenames. By combining improper extension validation with potential unsanitized display of filenames in the UI, stored XSS becomes possible when malicious files are listed in the assets manager.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository *o*kpit-*q/*o*kpit *.*.* *n* prior. * p*t** is *v*il**l* *t *ommit **************************************** *n* *nti*ip*t** to ** p*rt o* v*rsion *.*.*.

Reasoning

T** p*t** ***n**s two *riti**l *sp**ts: *) Us*s tmp_n*m* *or mim* **t**tion inst*** o* us*r-*ontroll** *il*n*m* *) Us*s p*rs*_url to s***ly *xtr**t *xt*nsions. T** ori*in*l *o**'s p*t*in*o($_*il*, P*T*IN*O_*XT*NSION) w*s vuln*r**l* to m*nipul*tion vi