Aheinze

**Name of the Vulnerable Software and Affected Versions** cockpit versions prior to 2.6.4 **Description** The issue is related to Cross-site Scripting (XSS) - Reflected in the GitHub repository cockpit-hq/cockpit. A patch is available and is anticipated to be part of version 2.6.4. **Recommendations** For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable API endpoints until the update is applied.

**Name of the Vulnerable Software and Affected Versions** cockpit versions prior to 2.6.3 **Description** The issue is related to Cross-site Scripting (XSS) - Stored in the GitHub repository cockpit-hq/cockpit. This type of attack occurs when an application stores user input data without proper validation and then displays it to other users, allowing an attacker to inject malicious scripts into the application. **Recommendations** For versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cockpit versions prior to 2.6.4 **Description** The issue is related to Cross-site Scripting (XSS) - Reflected in the GitHub repository cockpit-hq/cockpit. This type of attack occurs when an application includes user input in its response without properly validating or encoding it, allowing an attacker to inject malicious scripts into the application. **Recommendations** For versions prior to 2.6.4, update to version 2.6.4 or later, which includes the patch for this issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** cockpit-hq/cockpit versions prior to 2.6.3 **Description** The issue is related to a Cross-site Scripting (XSS) - Stored vulnerability in the cockpit-hq/cockpit GitHub repository. This vulnerability exists due to inadequate protection of the web page structure, allowing a remote attacker to conduct an XSS attack. For any role that has permission to execute function assets, an attacker can upload an HTML file, leading to XSS. **Recommendations** For versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload HTML files and limiting the execution of function assets to trusted roles. Additionally, restrict access to sensitive areas of the web application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** cockpit versions prior to 2.3.9 **Description** The issue is related to improper restriction of rendered UI layers or frames. **Recommendations** For versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cockpit versions prior to 2.3.8 **Description** The issue concerns a Privilege Chaining problem in the GitHub repository cockpit-hq/cockpit. **Recommendations** For versions prior to 2.3.8, update to version 2.3.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cockpit Content Platform versions prior to 2.2.2 **Description** The issue concerns the improper removal of sensitive information before storage or transfer, and it also involves a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after a user logs into their account, allowing an attacker to bypass the 2FA code. **Recommendations** For versions prior to 2.2.2, update to version 2.2.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and JWT tokens to minimize the risk of exploitation. Avoid using the affected JWT token until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Agentejo Cockpit versions prior to 0.11.2 **Description** The issue allows NoSQL injection via the `newpassword` function in the `Controller/Auth.php` file. **Recommendations** For versions prior to 0.11.2, update to version 0.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `newpassword` function in the `Controller/Auth.php` file until a patch is applied.