CVE-2021-3660
Description
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Risk Information
Base Score
4.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
0.27
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| (RHSA-2022:2008) cockpit security, bug fix, and enhancement update cockpit-debugsource-264.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2022:2008) cockpit security, bug fix, and enhancement update cockpit-doc-264.1-1.el8.noarch.rpm | Linux |
| (RHSA-2022:2008) cockpit security, bug fix, and enhancement update cockpit-264.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2022:2008) cockpit security, bug fix, and enhancement update cockpit-bridge-264.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2022:2008)Moderate: security, bug fix, and enhancement update cockpit-debuginfo-264.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2022:2008) cockpit security, bug fix, and enhancement update cockpit-system-264.1-1.el8.noarch.rpm | Linux |
| (RHSA-2022:2008) cockpit security, bug fix, and enhancement update cockpit-ws-264.1-1.el8.x86_64.rpm | Linux |
| Cockpit update (ELSA-2022-2008) cockpit-264.1-1.0.1.el8.x86_64.rpm | Linux |
| Cockpit-bridge update (ELSA-2022-2008) cockpit-bridge-264.1-1.0.1.el8.x86_64.rpm | Linux |
| Cockpit-doc update (ELSA-2022-2008) cockpit-doc-264.1-1.0.1.el8.noarch.rpm | Linux |
| Cockpit-system update (ELSA-2022-2008) cockpit-system-264.1-1.0.1.el8.noarch.rpm | Linux |
| Cockpit-ws update (ELSA-2022-2008) cockpit-ws-264.1-1.0.1.el8.x86_64.rpm | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234