.. / CVE-2020-35848

Exploit for Agentejo Cockpit <0.12.0 - NoSQL Injection (CVE-2020-35848)

Description:

Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.

Nuclei Template

View the template here CVE-2020-35848.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-35848.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2020-35848
https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af
https://swarm.ptsecurity.com/rce-cockpit-cms/
https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466
https://getcockpit.com/

.. / CVE-2020-35848 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Agentejo Cockpit <0.12.0 - NoSQL Injection (CVE-2020-35848)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2020-35848