Cockpit CMS Directory Traversal Vulnerability in Buckets Component Allowing Arbitrary File Write

A directory traversal vulnerability has been identified in Cockpit CMS versions through 2.13.5, specifically within the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite existing files with malicious content. The issue arises because the path validation function only checks for traversal characters in a limited way, allowing alternative traversal methods to bypass the checks.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes or overwriting of existing files with malicious content, potentially including executable PHP scripts.

Reproduction

The vulnerability can be reproduced by uploading a file with a supported extension to the Buckets module, then renaming it to include traversal characters that bypass the application's path validation. This process can be automated with a script that exploits the vulnerability.

Remediation

Users are advised to update Cockpit CMS to version 2.14.0, which addresses this vulnerability.