{"id":"CVE-2020-35846","details":"Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.","modified":"2026-04-10T04:25:57.034026Z","published":"2020-12-30T01:15:12.497Z","references":[{"type":"ADVISORY","url":"https://getcockpit.com/"},{"type":"FIX","url":"https://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b"},{"type":"FIX","url":"https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466"},{"type":"FIX","url":"https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/agentejo/cockpit","events":[{"introduced":"0"},{"fixed":"6a7cb0aa5abf275dbb6f0c12474b2d4150f60484"},{"fixed":"2a385af8d80ed60d40d386ed813c1039db00c466"},{"fixed":"33e7199575631ba1f74cba6b16b10c820bec59af"},{"fixed":"79fc9631ffa29146e3124ceaf99879b92e1ef24b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.11.2"}]}}],"versions":["0.10.0","0.10.1","0.10.2","0.11.0","0.11.1","0.11.2","0.7.1","0.7.2","0.9.2","0.9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35846.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}