Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.