Cockpit CMS SQL Injection Vulnerability in MongoLite Aggregation Optimizer

A SQL injection vulnerability has been identified in Cockpit CMS versions prior to 2.13.4, specifically within the MongoLite Aggregation Optimizer. This issue arises when the API access is enabled and the '/api/content/aggregate/{model}' endpoint is accessible to untrusted users. Attackers with a valid read-only API key can exploit this vulnerability to inject arbitrary SQL through unsanitized field names in aggregation queries. This exploitation allows them to bypass the published-content filter and access unpublished or restricted content, extracting unauthorized data from the SQLite content database.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries and access unauthorized data. This could include bypassing content restrictions and extracting sensitive information from the database.

Remediation

Users are advised to upgrade to Cockpit CMS version 2.13.5 or later, where this vulnerability has been patched. The update is available on the Cockpit GitHub Releases page.