PT-2020-13992 · Agentejo · Agentejo Cockpit

Cz4Rym4Ryo

Published

2020-06-17

Updated

2020-06-23

CVE-2020-14408

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Agentejo Cockpit version 0.10.2

Description An issue was discovered that allows for insufficient sanitization of the to parameter in the "/auth/login" API endpoint, enabling the injection of arbitrary JavaScript code into a web page's content. This creates a Reflected XSS attack vector.

Recommendations For Agentejo Cockpit version 0.10.2, consider disabling access to the "/auth/login" API endpoint until a patch is available, or restrict the to parameter to prevent injection of malicious JavaScript code.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-14408

Affected Products

Agentejo Cockpit

PT-2020-13992 · Agentejo · Agentejo Cockpit

CVE-2020-14408

Weakness Enumeration

Related Identifiers

Affected Products

References · 3