CVE-2024-4825 - Vulnerability Details - OpenCVE

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Agentejo

Cockpit CMS

unaffected

Version	Status	Constraints
`0.5.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*

No data.

No data.

Subscriptions

Vendors	Products
Agentejo Subscribe	Cockpit Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1810	A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
Github GHSA	GHSA-vpj8-xfqc-jcv9	Cockpit CMS contains an arbitrary file upload vulenrability

Fixes

Solution

Update to version 2.7.0.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms

History

Fri, 27 Jun 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Agentejo Agentejo cockpit
CPEs		cpe:2.3:a:agentejo:cockpit:0.5.5:::::::*
Vendors & Products		Agentejo Agentejo cockpit

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-05-13T11:23:20.416Z

Updated: 2024-08-01T20:55:10.120Z

Reserved: 2024-05-13T08:15:39.916Z

Link: CVE-2024-4825

Vulnrichment

Updated: 2024-08-01T20:55:10.120Z

NVD

Status : Analyzed

Published: 2024-05-14T15:45:16.483

Modified: 2025-06-27T15:04:13.027

Link: CVE-2024-4825

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-434

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4825", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-05-13T08:15:39.916Z", "datePublished": "2024-05-13T11:23:20.416Z", "dateUpdated": "2024-08-01T20:55:10.120Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cockpit CMS", "vendor": "Agentejo", "versions": [{"status": "affected", "version": "0.5.5"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "datePublic": "2024-05-13T11:14:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure."}], "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-05-13T11:23:20.416Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 2.7.0.<br>"}], "value": "Update to version 2.7.0.\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "agentejo", "product": "cockpit", "cpes": ["cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.5.5", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T16:04:16.036250Z", "id": "CVE-2024-4825", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T16:05:02.922Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:55:10.120Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:55:10.120Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4825", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-05T16:04:16.036250Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:agentejo:cockpit:0.5.5:*:*:*:*:*:*:*"], "vendor": "agentejo", "product": "cockpit", "versions": [{"status": "affected", "version": "0.5.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T16:04:58.304Z"}}], "cna": {"title": "Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Agentejo", "product": "Cockpit CMS", "versions": [{"status": "affected", "version": "0.5.5"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to version 2.7.0.\n", "supportingMedia": [{"type": "text/html", "value": "Update to version 2.7.0.<br>", "base64": false}]}], "datePublic": "2024-05-13T11:14:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in \u2018/media/api\u2019 parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-05-13T11:23:20.416Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4825", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:55:10.120Z", "dateReserved": "2024-05-13T08:15:39.916Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-05-13T11:23:20.416Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}