CVE-2020-35131
CVE-2020-35131
Vexday Risk Score
52Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS —EPSS 51.3%KEV nãoPoC —Nuclei simMetasploit —Patch —
Lifecycle
08 Jan 2021Published on NVD
Recommendation: Patch as soon as possible — active exploitation confirmed.
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Affected products
n/a · n/a