{“lastseen”:”2026-02-02T18:32:18″,”description”:”Multiple reflected cross site scripting vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive…”,”published”:”2026-02-02T00:00:00″,”modified”:”2026-02-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Cockpit CMS 0.13.0 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:214755″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Cockpit CMS 0.13.0 – Multiple Reflected XSS\\n Advisory ID: RO-16-003\\n Severity: Medium\\n Vendor: Cockpit\\n Product: Cockpit CMS\\n Version: 0.13.0\\n \\n \\n Overview #\\n \\n Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML.\\n \\n \\n Vulnerability Details #\\n \\n Affected Versions: 0.13.0 and earlier\\n \\n Location: \/collections\/entries\/ and \/mediamanager\/api endpoints\\n \\n Affected Parameters: filter and path\\n \\n Root Cause: Insufficient input validation and output encoding on multiple parameters allows XSS attacks.\\n \\n \\n Exploitation Requirements #\\n \\n No authentication required\\n Victim must visit crafted URLs\\n \\n Impact #\\n \\n Remote attackers can exploit these vulnerabilities to:\\n \\n Steal admin session cookies\\n Perform actions on behalf of users\\n Access CMS data\\n \\n Proof of Concept #\\n \\n GET \/cockpit-0.13.0\/collections\/entries\/{HASH}\\u0026filter=’\\”–\\u003e\\u003c\/style\\u003e\\u003c\/scRipt\\u003e\\u003cscRipt\\u003ealert(0x0032AA)\\u003c\/scRipt\\u003e HTTP\/1.1\\n Host: target.com\\n \\n POST \/cockpit-0.13.0\/mediamanager\/api HTTP\/1.1\\n Host: target.com\\n Content-Type: application\/x-www-form-urlencoded\\n \\n path=\\u003e\\u003ciMg src=N onerror=alert(9)\\u003e\\n \\n \\n \\n Solution #\\n \\n Upgrade to a patched version of Cockpit CMS that includes proper input sanitization and output encoding.\\n \\n \\n References #\\n \\n Invicti Advisory NS-16-015\\n \\n Timeline:\\n \\n [2016-09-19] – Advisory released\\n \\n Credits: Omar Kurt”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214755″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214755\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-02T18:32:18″,”description”:”Multiple reflected cross site scripting vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-38569","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n