forked from rubysec/ruby-advisory-db
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7b6de19
commit 0fa2cbc
Showing
3 changed files
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| --- | ||
| gem: openc3 | ||
| cve: 2024-43795 | ||
| ghsa: vfj8-5pj7-2f9g | ||
| url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9g | ||
| title: OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`) | ||
| date: 2024-10-02 | ||
| description: | | ||
| ### Summary | ||
| The login functionality contains a reflected cross-site scripting | ||
| (XSS) vulnerability. | ||
| Note: This CVE only affects Open Source Edition, and not | ||
| OpenC3 COSMOS Enterprise Edition | ||
| ### Impact | ||
| This issue may lead up to Remote Code Execution (RCE). | ||
| **NOTE:** The complete advisory with much more information is added as | ||
| [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9g#advisory-comment-104904). | ||
| cvss_v4: 5.1 | ||
| patched_versions: | ||
| - ">= 5.19.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-43795 | ||
| - https://github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9g | ||
| - https://github.com/OpenC3/cosmos/commit/762d7e0e93bdc2f340b1e42acccedc78994a576e | ||
| - https://github.com/advisories/GHSA-vfj8-5pj7-2f9g |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| --- | ||
| gem: openc3 | ||
| cve: 2024-46977 | ||
| ghsa: 8jxr-mccc-mwg8 | ||
| url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8 | ||
| title: OpenC3 Path Traversal via screen controller (`GHSL-2024-127`) | ||
| date: 2024-10-02 | ||
| description: | | ||
| ### Summary | ||
| A path traversal vulnerability inside of `LocalMode`'s | ||
| `open_local_file` method allows an authenticated user with | ||
| adequate permissions to download any `.txt` via the | ||
| `ScreensController#show` on the web server COSMOS is running | ||
| on (depending on the file permissions). | ||
| Note: This CVE affects all OpenC3 COSMOS Editions | ||
| ### Impact | ||
| This issue may lead to Information Disclosure. | ||
| **NOTE:** The complete advisory with much more information is added as | ||
| [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8#advisory-comment-104903). | ||
| cvss_v4: 5.3 | ||
| patched_versions: | ||
| - ">= 5.19.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-46977 | ||
| - https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8 | ||
| - https://github.com/OpenC3/cosmos/commit/a34e61aea5a465f0ab3e57d833ae7ff4cafd710b | ||
| - https://github.com/advisories/GHSA-8jxr-mccc-mwg8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| --- | ||
| gem: openc3 | ||
| cve: 2024-47529 | ||
| ghsa: 4xqv-47rm-37mm | ||
| url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm | ||
| title: OpenC3 stores passwords in clear text (`GHSL-2024-129`) | ||
| date: 2024-10-02 | ||
| description: | | ||
| ### Summary | ||
| OpenC3 COSMOS stores the password of a user unencrypted in the | ||
| LocalStorage of a web browser. This makes the user password | ||
| susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). | ||
| Note: This CVE only affects Open Source edition, and not | ||
| OpenC3 COSMOS Enterprise Edition | ||
| ### Impact | ||
| This issue may lead to Information Disclosure. | ||
| **NOTE:** The complete advisory with much more information is added as | ||
| [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm#advisory-comment-104905). | ||
| cvss_v3: 5.9 | ||
| cvss_v4: 4.8 | ||
| patched_versions: | ||
| - ">= 5.19.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-47529 | ||
| - https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm | ||
| - https://github.com/OpenC3/cosmos/commit/b5ab34fe7fa54c0c8171c4aa3caf4e03d6f63bd7 | ||
| - https://github.com/advisories/GHSA-4xqv-47rm-37mm |