Malicious code in arduino-ide-extension (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dcf7ca9bf0f189fb107121b5376feaf1535112a7c3e0c2d426fb74d95e3bf8f9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Arduino: Remote Code Execution

Background Arduino is an open-source AVR electronics prototyping platform. Description A vulnerability has been discovered in Arduino. Please review the CVE identifier referenced below for details. Impact Arduino bundles a vulnerable version of log4j that may lead to remote code execution...

GLSA-202312-04 : Arduino: Remote Code Execution

The remote host is affected by the vulnerability described in GLSA-202312-04 Arduino: Remote Code Execution - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and...

Cross-Site Scripting (XSS)

github.com/arduino/arduino-create-agent is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of user input and custom error messages sanitization in the /certificate.crt endpoint. This allows attackers to execute Reflected Cross-Site Scripting XSS attacks through specially...

CVE-2023-49296

The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handle...

Cross site scripting

The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handle...

CVE-2023-49296

The CVE-2023-49296 vulnerability affects the Arduino Create Agent prior to version 1.3.6, where the /certificate.crt endpoint and error-message handling allow Reflected Cross-Site Scripting. An attacker can lure a user to click a malicious link, enabling arbitrary client-side code execution in th...

CVE-2023-49296 Arduino Create Agent vulnerable to Reflected Cross-Site Scripting

The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handle...

CVE-2023-49296 Arduino Create Agent vulnerable to Reflected Cross-Site Scripting

The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handle...

Arduino Cross-Site Scripting Vulnerability

Arduino is a microcontroller board from the Arduino project. A cross-site scripting vulnerability exists in Arduino Create Agent versions prior to 1.3.6, which stems from vulnerability to reflective cross-site scripting attacks that allow an attacker to execute arbitrary code on the browser clien...

Debian dla-3649 : python-urllib3 - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3649 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3649-1 [email protected] https://www.debian.org/lts/security/...

Path Traversal

github.com/arduino/arduino-create-agent is vulnerable to Path Traversal. The vulnerability results from inadequate sanitization of the filename parameter. Exploiting this flaw, an attacker can execute HTTP requests on the localhost interface or bypass CORS configuration. Consequently, they may be...

Path Traversal

github.com/arduino/arduino-create-agent is vulnerable to Directory Traversal. When the attacker has access to the localhost interface, they can send a specially crafted HTTP POST request to the /v2/pkgs/tools/installed endpoint, specifying the path of the file or folder that they want to delete...

Directory Traversal

github.com/arduino/arduino-create-agent is vulnerable to Directory Traversal. When the attacker has access to the localhost interface, they can send a specially crafted HTTP DELETE request to the /v2/pkgs/tools/installed endpoint, specifying the path of the file or folder that they want to delete...

Privilege Escalation

Arduino Create Agent is vulnerable to Privilege Escalation. The vulnerability is due to the improper handling of requests to the endpoint /v2/pkgs/tools/installed. This can be exploited by an attacker via executing a HTTP requests to the localhost interface leading to the elevation of privileges ...

CVE-2023-43801

Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass t...

CVE-2023-43800

Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint /v2/pkgs/tools/installed. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those ...

Design/Logic Flaw

Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass t...

Design/Logic Flaw

Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint /v2/pkgs/tools/installed. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those ...

CVE-2023-43802

Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint /upload which handles request with the filename parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can...