Lucene search

MitreCVE-2023-45279

HistoryOct 19, 2023 - 10:15 p.m.

CVE-2023-45279

2023-10-1922:15:09

CWE-79

mitre

web.nvd.nist.gov

yamcs

xss

javascript

file upload

security vulnerability

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

20.8%

JSON

Yamcs 5.8.6 allows XSS (issue 1 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There’s a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by selecting Telemetry from the menu and navigating to the display.

Affected configurations

Nvd

Node

spaceapplicationsyamcsMatch5.8.6

VendorProductVersionCPE
spaceapplicationsyamcs5.8.6cpe:2.3:a:spaceapplications:yamcs:5.8.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
spaceapplications	yamcs	5.8.6	cpe:2.3:a:spaceapplications:yamcs:5.8.6:::::::*

References

github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7

www.linkedin.com/pulse/yamcs-vulnerability-assessment-visionspace-technologies