CVE Details
Basic Information
| Title | Cockpit save cross site scripting |
|---|---|
| Type | cve |
| Published | 2025-07-04T02:02:05.755Z |
| Modified | 2025-07-04T02:02:05.755Z |
Product Information
| Vendor | n/a |
|---|---|
| Product | Cockpit |
| Version | 2.11.0 |
CVSS Information
| Base Score | 5.1 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X |
AI Analysis
| AI Description | A cross-site scripting vulnerability in Cockpit versions up to 2.11.3 allows remote attackers to inject malicious scripts via the name or email arguments. This issue can be exploited without authentication and requires no special privileges. The vulnerability is fixed in version 2.11.4. |
|---|---|
| AI Severity | Medium |
| AI Vendor | Cockpit Project |
| AI Product | Cockpit |
| AI Version | 2.11.0, 2.11.1, 2.11.2, 2.11.3 |
Affected Products
- n/a Cockpit 2.11.0
- n/a Cockpit 2.11.1
- n/a Cockpit 2.11.2
- n/a Cockpit 2.11.3
Additional Information
| CWE List | CWE-79, CWE-94 |
|---|---|
| Source | VulDB |
Description
A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to address this issue. The patch is named bdcd5e3bc651c0839c7eea807f3eb6af856dbc76. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional. A patch and new release was made available very quickly.