Agentejo Cockpit CMS resetpassword NoSQLi (CVE-2020-35847)

Description

Agentejo Cockpit CMS versions prior to 0.11.2 contain multiple NoSQL injection vulnerabilities in the password reset functionality. These vulnerabilities allow attackers to manipulate database queries by injecting malicious operators into user-supplied input fields, bypassing authentication controls and potentially gaining administrative access to the CMS.

Remediation

Immediately upgrade Agentejo Cockpit CMS to version 0.11.2 or later, which addresses these NoSQL injection vulnerabilities. If immediate upgrade is not possible, implement the following temporary mitigations: (1) Restrict access to the password reset functionality at the web server or firewall level to trusted IP addresses only, (2) Implement additional authentication layers such as multi-factor authentication for administrative accounts, and (3) Monitor application logs for suspicious password reset attempts or unusual database query patterns. After upgrading, review all user accounts for unauthorized modifications and reset passwords for all administrative accounts as a precautionary measure.

References

Related Vulnerabilities