Four pre-auth NoSQL injections (blind) as well as an authenticated PHP injection.

Bug 1 and 2 - First issue was in the auth/check endpoint for authenticating users. It took a user parameter and passed it directly into a filter object with no sanitization. You could use the $func operator of the MongoLite library to call any PHP function with a single parameter, including var_dump to dump all the users in the db. The same injection existed in the auth/requestreset endpoint for creating password reset tokens.

Bug 3 and 4 - Third and fourth issues were in /auth/resetpassword and /auth/newpassword respectively. Similar issue but on the token parameter. The same trick allowed dumping of valid tokens. Chaining one of these two issues and one of the previous two, you had valid users and valid tokens. You can use the API with the token you acquired to dump user account information, which you can use to bruteforce the password hash and reset the password. This can lead to RCE since Cockpit’s “Finder” (file explorer) allows you to upload files, so you can upload a webshell.

Bug 5 - Final PHP injection issue was when parsing filters on the /accounts/find endpoint, which takes a user-provided filter and uses it to build up a query that gets passed to eval. This one isn’t really that important though, because you need auth to hit it and as pointed out, you can already upload a web shell if you have auth.