CVE-2025-7053
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-10-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agentejo | cockpit | to 2.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7053 is a cross-site scripting (XSS) vulnerability in Cockpit versions up to 2.11.3. It occurs due to improper handling of user input in the name and email parameters at the /system/users/save endpoint. Malicious scripts can be injected because user input is not properly escaped before being included in the web page output. This allows attackers to execute arbitrary JavaScript in the browsers of users who view the affected pages. The vulnerability can be exploited remotely and requires some user interaction. It was fixed in Cockpit version 2.11.4 by escaping user-provided data in the admin UI views to prevent script injection. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to execution of arbitrary JavaScript in the browsers of users who access the affected Cockpit interface. Potential impacts include theft of session cookies and sensitive data, unauthorized actions performed on behalf of users, and compromise of data integrity. Since the vulnerability allows injection of malicious scripts that persist and execute when rendered, attackers can exploit it remotely to affect users interacting with the system. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /system/users/save endpoint for improper sanitization of the 'name' and 'email' parameters. A practical approach is to send crafted POST requests with payloads containing special characters or event handlers (e.g., injecting a payload like Admin" onmouseover="alert(42)) in the username field and observing if the input is reflected unsanitized in the web interface, leading to script execution. For example, using curl to send a POST request with JSON data to the vulnerable endpoint can help detect the issue. Specific commands might include: curl -X POST https://<target>/system/users/save -H 'Content-Type: application/json' -d '{"name":"Admin\" onmouseover=\"alert(42)", "email":"[email protected]"}' Monitoring the web interface for execution of injected scripts (such as alert popups) confirms the vulnerability. Since the vulnerability is a stored XSS, reviewing the rendered user interface for unsanitized user input is key. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Cockpit to version 2.11.4 or later, where the vulnerability has been fixed by properly escaping user input in the affected views. If upgrading is not immediately possible, applying the patch identified by commit bdcd5e3bc651c0839c7eea807f3eb6af856dbc76, which escapes user-provided data in the relevant PHP view files, will mitigate the issue. Additionally, disabling the vulnerable feature or restricting access to the /system/users/save endpoint until patched can reduce risk. Ensuring that cookies have the HttpOnly flag set can also help mitigate session theft risks from XSS. [2, 4]