Cross-Site Scripting Vulnerability in OpenC3 COSMOS by OpenC3
CVE-2025-28380

6.1MEDIUM

Key Information:

Vendor

OpenC3

Status
COSMOS
Vendor
CVE Published:
13 June 2025

What is CVE-2025-28380?

A cross-site scripting vulnerability has been identified in OpenC3 COSMOS v6.0.0, enabling attackers to execute arbitrary web scripts or HTML due to improper handling of URL parameters. This flaw can allow malicious users to craft URLs that inject harmful scripts into web pages, potentially leading to unauthorized access to user data or actions within the application. To mitigate this risk, it is crucial for users to review access controls and implement appropriate input validation mechanisms.

References

https://openc3.com/
https://visionspace.com/openc3-cosmos-a-security-assessme...
https://github.com/OpenC3/cosmos/releases/tag/v6.0.2

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.