Lucene search

Veracode Vulnerability DatabaseVERACODE:44670

HistoryDec 14, 2023 - 6:05 a.m.

Cross-Site Scripting (XSS)

2023-12-1406:05:03

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

github

arduino

create agent

cross-site scripting

vulnerability

input sanitization

certificate endpoint

reflected xss

attacks

software

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

github.com/arduino/arduino-create-agent is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of user input and custom error messages sanitization in the /certificate.crt endpoint. This allows attackers to execute Reflected Cross-Site Scripting (XSS) attacks through specially crafted links.

References

github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8

github.com/arduino/arduino-create-agent/pull/858

github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h