OpenC3 COSMOS Stores User Password Unencrypted in LocalStorage, Leading to Susceptibility to Exfiltration via Cross-site Scripting
CVE-2024-47529

6.5MEDIUM

Key Information:

Vendor: OpenC3 COSMOS
Status: Cosmos
Vendor: CVE Published:; 2 October 2024

🔔 Create OpenC3 COSMOS Vulnerability Alert

What is CVE-2024-47529?

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). This vulnerability is fixed in 5.19.0. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition.

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA...

https://github.com/OpenC3/cosmos/commit/b5ab34fe7fa54c0c8...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2024