Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Cockpit CMS by agentejo

    CVE-2026-13533 (GCVE-0-2026-13533)

    Vulnerability from nvd – Published: 2026-06-29 04:00 – Updated: 2026-06-29 14:52
    VLAI
    Title
    agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access
    Summary
    A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Configuration settings should be changed. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/374541 vdb-entrytechnical-description
    https://vuldb.com/vuln/374541/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-13533 third-party-advisory
    https://vuldb.com/submit/841343 third-party-advisory
    https://gist.github.com/nov-1337/3eb0a06c602ced9c… exploit
    Impacted products
    Vendor Product Version
    agentejo Cockpit CMS Affected: 0.12.0
    Affected: 0.12.1
    Affected: 0.12.2
        cpe:2.3:a:agentejo:cockpit_cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    nov_ (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13533",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:36:36.412082Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T14:52:49.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:agentejo:cockpit_cms:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "htaccess Handler"
              ],
              "product": "Cockpit CMS",
              "vendor": "agentejo",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.12.0"
                },
                {
                  "status": "affected",
                  "version": "0.12.1"
                },
                {
                  "status": "affected",
                  "version": "0.12.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "nov_ (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Configuration settings should be changed. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "Files or Directories Accessible",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-425",
                  "description": "Direct Request",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T04:00:07.810Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-374541 | agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/374541"
            },
            {
              "name": "VDB-374541 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/374541/cti"
            },
            {
              "name": "CVE-2026-13533 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-13533"
            },
            {
              "name": "Submit #841343 | Agentejo Cockpit CMS 0.12.2 CWE-552: Files or Directories Accessible to External Parties",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/841343"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/nov-1337/3eb0a06c602ced9c3b11b675b53947da"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-28T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-28T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-28T11:27:27.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-13533",
        "datePublished": "2026-06-29T04:00:07.810Z",
        "dateReserved": "2026-06-28T09:22:22.699Z",
        "dateUpdated": "2026-06-29T14:52:49.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4825 (GCVE-0-2024-4825)

    Vulnerability from nvd – Published: 2024-05-13 11:23 – Updated: 2024-08-01 20:55
    VLAI
    Title
    Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo
    Summary
    A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Agentejo Cockpit CMS Affected: 0.5.5
    Create a notification for this product.
    agentejo cockpit Affected: 0.5.5
        cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-05-13 11:14
    Credits
    Rafael Pedrero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "cockpit",
                "vendor": "agentejo",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0.5.5"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4825",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-05T16:04:16.036250Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-05T16:05:02.922Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.120Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Cockpit CMS",
              "vendor": "Agentejo",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafael Pedrero"
            }
          ],
          "datePublic": "2024-05-13T11:14:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure."
                }
              ],
              "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-13T11:23:20.416Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version 2.7.0.\u003cbr\u003e"
                }
              ],
              "value": "Update to version 2.7.0.\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2024-4825",
        "datePublished": "2024-05-13T11:23:20.416Z",
        "dateReserved": "2024-05-13T08:15:39.916Z",
        "dateUpdated": "2024-08-01T20:55:10.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-13533 (GCVE-0-2026-13533)

    Vulnerability from cvelistv5 – Published: 2026-06-29 04:00 – Updated: 2026-06-29 14:52
    VLAI
    Title
    agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access
    Summary
    A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Configuration settings should be changed. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/374541 vdb-entrytechnical-description
    https://vuldb.com/vuln/374541/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-13533 third-party-advisory
    https://vuldb.com/submit/841343 third-party-advisory
    https://gist.github.com/nov-1337/3eb0a06c602ced9c… exploit
    Impacted products
    Vendor Product Version
    agentejo Cockpit CMS Affected: 0.12.0
    Affected: 0.12.1
    Affected: 0.12.2
        cpe:2.3:a:agentejo:cockpit_cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    nov_ (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13533",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:36:36.412082Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T14:52:49.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:agentejo:cockpit_cms:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "htaccess Handler"
              ],
              "product": "Cockpit CMS",
              "vendor": "agentejo",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.12.0"
                },
                {
                  "status": "affected",
                  "version": "0.12.1"
                },
                {
                  "status": "affected",
                  "version": "0.12.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "nov_ (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Configuration settings should be changed. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "Files or Directories Accessible",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-425",
                  "description": "Direct Request",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T04:00:07.810Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-374541 | agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/374541"
            },
            {
              "name": "VDB-374541 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/374541/cti"
            },
            {
              "name": "CVE-2026-13533 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-13533"
            },
            {
              "name": "Submit #841343 | Agentejo Cockpit CMS 0.12.2 CWE-552: Files or Directories Accessible to External Parties",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/841343"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/nov-1337/3eb0a06c602ced9c3b11b675b53947da"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-28T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-28T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-28T11:27:27.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-13533",
        "datePublished": "2026-06-29T04:00:07.810Z",
        "dateReserved": "2026-06-28T09:22:22.699Z",
        "dateUpdated": "2026-06-29T14:52:49.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4825 (GCVE-0-2024-4825)

    Vulnerability from cvelistv5 – Published: 2024-05-13 11:23 – Updated: 2024-08-01 20:55
    VLAI
    Title
    Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo
    Summary
    A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Agentejo Cockpit CMS Affected: 0.5.5
    Create a notification for this product.
    agentejo cockpit Affected: 0.5.5
        cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-05-13 11:14
    Credits
    Rafael Pedrero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "cockpit",
                "vendor": "agentejo",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0.5.5"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4825",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-05T16:04:16.036250Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-05T16:05:02.922Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.120Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Cockpit CMS",
              "vendor": "Agentejo",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafael Pedrero"
            }
          ],
          "datePublic": "2024-05-13T11:14:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure."
                }
              ],
              "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-13T11:23:20.416Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version 2.7.0.\u003cbr\u003e"
                }
              ],
              "value": "Update to version 2.7.0.\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2024-4825",
        "datePublished": "2024-05-13T11:23:20.416Z",
        "dateReserved": "2024-05-13T08:15:39.916Z",
        "dateUpdated": "2024-08-01T20:55:10.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }