CVE-2023–0759 / Privilege Escalation in the Cockpit CMS

During my pentest, I discovered a vulnerability affecting versions 2.3.6 and 2.3.7 of the system, which has since been fixed in version 2.3.8.

I came across Cockpit CMS during my pentest, which is an open-source self-hosted headless CMS (content management system) that operates entirely through its API.

To begin our privilege escalation process, we noticed that the user “cupcake” was assigned to the “users” role, which did not have any privileges within the application. This is evident from the screenshot below.

As seen in the screenshot below, all permissions were disabled for the “users” role, to which the user “cupcake” was assigned during our pentest.

Have you made any changes to the user’s profile in click on update

By intercepting and manipulating the request, I was able to change the user’s previous “user” role to “admin,” effectively granting me administrator privileges.

The status code 200 indicated that the role change had been successfully implemented.

As a result of the role change, administrative functions were successfully enabled in the Cockpit CMS, as depicted in the screenshot below.

POC:

Tip: For a better visualization, you can open the GIF in another tab. ;)

I just wanted to take a moment to thank you for taking the time to read my article. While the vulnerability I exploited might seem straightforward, it can have serious consequences within the context of the application.

As a pentester, it’s important for me to highlight how seemingly small vulnerabilities can lead to bigger problems if they’re not addressed. By sharing my findings, I hope to encourage developers to take a closer look at their own systems and ensure that they’re taking every necessary precaution to protect against potential attacks.

Again, thank you for reading and for taking security seriously. 🕺🏼🎉