CVE-2023-4196

Name of the Vulnerable Software and Affected Versions cockpit-hq/cockpit versions prior to 2.6.3

Description The issue is related to a Cross-site Scripting (XSS) - Stored vulnerability in the cockpit-hq/cockpit GitHub repository. This vulnerability exists due to inadequate protection of the web page structure, allowing a remote attacker to conduct an XSS attack. For any role that has permission to execute function assets, an attacker can upload an HTML file, leading to XSS.

Recommendations For versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload HTML files and limiting the execution of function assets to trusted roles. Additionally, restrict access to sensitive areas of the web application to minimize the risk of exploitation.