Description
Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://github.com/agentejo/cockpit/blob/f7cd602bcc6134657ccfeb4e400b0050943dd243/assets/lib/uikit/js/components/htmleditor.js
Patch, Third Party Advisory
https://github.com/agentejo/cockpit/commit/0c6628cbff3e49bc317c97b03a4666b3a75f76cc
Exploit, Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-1035_Cockpit_Next/
Scores
CVSS v3
6.1
EPSS
0.0017
EPSS Percentile
37.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
agentejo/cockpit
< 0.12.2
Published
Feb 21, 2023
Tracked Since
Feb 18, 2026