SCA: security update for cockpit-hq/cockpit (GHSA-j4rj-fgcq-wmqp)

medium Tenable Self-Hosted Container Security Plugin ID 428295

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects
some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads
to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to
address this issue. The patch is named bdcd5e3bc651c0839c7eea807f3eb6af856dbc76. It is recommended to
upgrade the affected component. The vendor was contacted early about this disclosure and acted very
professional. A patch and new release was made available very quickly. (CVE-2025-7053)

See Also

https://github.com/advisories/GHSA-j4rj-fgcq-wmqp

Plugin Details

Severity: Medium

ID: 428295

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 7/4/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-7053

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/4/2025

Vulnerability Publication Date: 7/4/2025

Reference Information

CVE: CVE-2025-7053

cwe: CWE-79