CVE-2023-4195

Name of the Vulnerable Software and Affected Versions Cockpit versions prior to 2.6.3

Description The issue is related to incorrect management of file names for PHP include or require functions in the Cockpit server management system. This can allow a remote attacker to execute arbitrary code. Users may upload PHP files through the system file upload utility to obtain remote code execution.

Recommendations For versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload utility to minimize the risk of exploitation. Additionally, restrict the execution of PHP files uploaded through the system to prevent remote code execution.